Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

INFO

Published Date :

2026-02-04T19:02:20.988Z

Last Modified :

2026-02-04T19:17:36.596Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25140 vulnerability.

Vendors Products
Chainguard
  • Apko
Chainguard-dev
  • Apko
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25140.

URL Resource
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 cve-icon cve-icon
https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact