CVE-2026-25121

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25121
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 Patch
https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*
History

20 Feb 2026, 21:31

Type Values Removed Values Added
References () https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 - () https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 - Patch
References () https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw - () https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw - Third Party Advisory
Summary
  • (es) apko permite a los usuarios construir y publicar imágenes de contenedor OCI construidas a partir de paquetes apk. Desde la versión 0.14.8 hasta antes de la 1.1.1, se descubrió una vulnerabilidad de salto de ruta en la abstracción del sistema de archivos dirFS de apko. Un atacante que pueda suministrar un paquete APK malicioso (por ejemplo, a través de un repositorio comprometido o con typosquatting) podría crear directorios o enlaces simbólicos fuera de la raíz de instalación prevista. Los métodos MkdirAll, Mkdir y Symlink en pkg/apk/fs/rwosfs.go usan filepath.Join() sin validar que la ruta resultante permanezca dentro del directorio base. Este problema ha sido parcheado en la versión 1.1.1.
CWE CWE-22
CPE cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*
First Time Chainguard apko
Chainguard

04 Feb 2026, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-04 19:16

Updated : 2026-02-20 21:31

NVD link : CVE-2026-25121

Mitre link : CVE-2026-25121

CVE.ORG link : CVE-2026-25121

JSON object : View

Products Affected

chainguard

  • apko
CWE
CWE-23

Relative Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')