Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

INFO

Published Date :

2026-02-04T19:02:17.979Z

Last Modified :

2026-02-04T19:18:52.495Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25121 vulnerability.

Vendors Products
Chainguard
  • Apko
Chainguard-dev
  • Apko
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25121.

URL Resource
https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 cve-icon cve-icon
https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact