CVE-2026-25140

{"id": "CVE-2026-25140", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-04T19:16:15.117", "references": [{"url": "https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "apko permite a los usuarios construir y publicar im\u00e1genes de contenedor OCI construidas a partir de paquetes apk. Desde la versi\u00f3n 0.14.8 hasta antes de la 1.1.1, un atacante que controle o comprometa un repositorio APK utilizado por apko podr\u00eda causar el agotamiento de recursos en el host de compilaci\u00f3n. La funci\u00f3n ExpandApk en pkg/apk/expandapk/expandapk.go expande flujos .apk sin aplicar l\u00edmites de descompresi\u00f3n, permitiendo que un repositorio malicioso sirva un .apk peque\u00f1o y altamente comprimido que se infla en un gran flujo tar, consumiendo espacio en disco y tiempo de CPU excesivos, causando fallos de compilaci\u00f3n o denegaci\u00f3n de servicio. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "lastModified": "2026-02-20T21:31:56.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D4999F65-41B1-42B5-8BFE-C5DD249E18F3", "versionEndExcluding": "1.1.1", "versionStartIncluding": "0.14.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}