Go modules package
chainguard.dev/apko
pkg:golang/chainguard.dev/apko
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42576 | Med | 6.5 | < 1.2.7 | 1.2.7 | May 9, 2026 | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns | |
| CVE-2026-42575 | Hig | 7.5 | < 1.2.7 | 1.2.7 | May 9, 2026 | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is | |
| CVE-2026-42574 | Hig | 7.5 | >= 0.14.8, < 1.2.5 | 1.2.5 | May 9, 2026 | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write en | |
| CVE-2026-25121 | — | >= 0.14.8, < 1.1.0 | 1.1.0 | Feb 4, 2026 | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromi | ||
| CVE-2026-25122 | — | >= 0.14.8, < 1.1.0 | 1.1.0 | Feb 4, 2026 | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, | ||
| CVE-2025-53945 | Hig | 7.0 | >= 0.27.0, < 0.29.5 | 0.29.5 | Jul 18, 2025 | apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issu | |
| CVE-2024-36127 | Hig | 7.5 | < 0.14.5 | 0.14.5 | Jun 3, 2024 | apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5. |
- affected < 1.2.7fixed 1.2.7
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns
- affected < 1.2.7fixed 1.2.7
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is
- affected >= 0.14.8, < 1.2.5fixed 1.2.5
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write en
- CVE-2026-25121Feb 4, 2026affected >= 0.14.8, < 1.1.0fixed 1.1.0
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromi
- CVE-2026-25122Feb 4, 2026affected >= 0.14.8, < 1.1.0fixed 1.1.0
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream,
- affected >= 0.27.0, < 0.29.5fixed 0.29.5
apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issu
- affected < 0.14.5fixed 0.14.5
apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.