apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
chainguard.dev/apkoGo | >= 0.14.8, < 1.1.0 | 1.1.0 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/amazon-ssm-agentpkg:apk/chainguard/amazon-ssm-agent-ecs-execpkg:apk/chainguard/cgpkg:apk/chainguard/chainctlpkg:apk/chainguard/dagdotdevpkg:apk/wolfi/dagdotdevpkg:golang/chainguard.dev/apkopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 3.3.3270.0-r5+ 7 more
- (no CPE)range: < 3.3.3270.0-r5
- (no CPE)range: < 3.3.3270.0-r5
- (no CPE)range: < 0.2.201-r0
- (no CPE)range: < 0.2.206-r0
- (no CPE)range: < 0.0.20-r6
- (no CPE)range: < 0.0.20-r6
- (no CPE)range: >= 0.14.8, < 1.1.0
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
- Range: >= 0.14.8, < 1.1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5g94-c2wx-8pxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25121ghsaADVISORY
- github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14ghsax_refsource_MISCWEB
- github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.