CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09	Patch
https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-02-04 19:16

Updated : 2026-02-20 21:31

NVD link : CVE-2026-25140

Mitre link : CVE-2026-25140

CVE.ORG link : CVE-2026-25140

JSON object : View

Products Affected

chainguard

apko

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-25140", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-04T19:16:15.117", "references": [{"url": "https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "apko permite a los usuarios construir y publicar im\u00e1genes de contenedor OCI construidas a partir de paquetes apk. Desde la versi\u00f3n 0.14.8 hasta antes de la 1.1.1, un atacante que controle o comprometa un repositorio APK utilizado por apko podr\u00eda causar el agotamiento de recursos en el host de compilaci\u00f3n. La funci\u00f3n ExpandApk en pkg/apk/expandapk/expandapk.go expande flujos .apk sin aplicar l\u00edmites de descompresi\u00f3n, permitiendo que un repositorio malicioso sirva un .apk peque\u00f1o y altamente comprimido que se infla en un gran flujo tar, consumiendo espacio en disco y tiempo de CPU excesivos, causando fallos de compilaci\u00f3n o denegaci\u00f3n de servicio. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "lastModified": "2026-02-20T21:31:56.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D4999F65-41B1-42B5-8BFE-C5DD249E18F3", "versionEndExcluding": "1.1.1", "versionStartIncluding": "0.14.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}