{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25121", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.539Z", "datePublished": "2026-02-04T19:02:17.979Z", "dateUpdated": "2026-02-04T19:18:52.495Z"}, "containers": {"cna": {"title": "apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw"}, {"name": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14"}], "affected": [{"vendor": "chainguard-dev", "product": "apko", "versions": [{"version": ">= 0.14.8, < 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:02:17.979Z"}, "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1."}], "source": {"advisory": "GHSA-5g94-c2wx-8pxw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:18:20.797586Z", "id": "CVE-2026-25121", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:18:52.495Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25121", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.539Z", "datePublished": "2026-02-04T19:02:17.979Z", "dateUpdated": "2026-02-04T19:18:52.495Z"}, "containers": {"cna": {"title": "apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw"}, {"name": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14", "tags": ["x_refsource_MISC"], "url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14"}], "affected": [{"vendor": "chainguard-dev", "product": "apko", "versions": [{"version": ">= 0.14.8, < 1.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:02:17.979Z"}, "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1."}], "source": {"advisory": "GHSA-5g94-c2wx-8pxw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25121", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:18:20.797586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:18:24.330Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*", "matchCriteriaId": "D4999F65-41B1-42B5-8BFE-C5DD249E18F3", "versionEndExcluding": "1.1.1", "versionStartIncluding": "0.14.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "apko permite a los usuarios construir y publicar im\u00e1genes de contenedor OCI construidas a partir de paquetes apk. Desde la versi\u00f3n 0.14.8 hasta antes de la 1.1.1, se descubri\u00f3 una vulnerabilidad de salto de ruta en la abstracci\u00f3n del sistema de archivos dirFS de apko. Un atacante que pueda suministrar un paquete APK malicioso (por ejemplo, a trav\u00e9s de un repositorio comprometido o con typosquatting) podr\u00eda crear directorios o enlaces simb\u00f3licos fuera de la ra\u00edz de instalaci\u00f3n prevista. Los m\u00e9todos MkdirAll, Mkdir y Symlink en pkg/apk/fs/rwosfs.go usan filepath.Join() sin validar que la ruta resultante permanezca dentro del directorio base. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."}], "id": "CVE-2026-25121", "lastModified": "2026-02-20T21:31:35.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T19:16:14.790", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:20:39.063486+00:00", "value": {"mitigation_remediation": ["Upgrade apko to version 1.1.1 or later to apply the path\u2011validation fix.", "Restrict the sources of APK packages used in your build pipeline; only fetch from trusted, signed repositories.", "Isolate the build environment with minimal permissions so that even if a malicious file is written, it cannot affect system daemons or critical configuration."], "summary": {"action": "Patch", "impact": "Arbitrary File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "Chainguard\u2011provided apko versions from 0.14.8 up to (but not including) 1.1.1 are affected. The fix was released with version 1.1.1, which validates path boundaries and prevents the described write escalation.", "description_and_impact": "The flaw in apko\u2019s dirFS abstraction stems from its use of filepath.Join without verifying that the resulting path remains inside the intended base directory. A malicious APK package can thus instruct apko to create directories or symlinks outside the installation root, allowing the attacker to write arbitrary files during an image build. This can overwrite critical configuration files, inject executable payloads, or otherwise compromise the build environment and the resulting container image. The vulnerability is categorized as path traversal.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, but the EPSS score of under 1% suggests that exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can supply a compromised or typosquatted APK package to the build process; the attack vector is therefore indirect but can occur if build pipelines rely on external repositories or untrusted package sources."}}}}, "created": "2026-02-05T11:39:52.346145+00:00", "updated": "2026-04-17T23:30:15.910593+00:00", "vendors": ["chainguard-dev", "chainguard-dev$PRODUCT$apko"]}