Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Published: 2026-02-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Patch
AI Analysis

Impact

The flaw in apko’s dirFS abstraction stems from its use of filepath.Join without verifying that the resulting path remains inside the intended base directory. A malicious APK package can thus instruct apko to create directories or symlinks outside the installation root, allowing the attacker to write arbitrary files during an image build. This can overwrite critical configuration files, inject executable payloads, or otherwise compromise the build environment and the resulting container image. The vulnerability is categorized as path traversal.

Affected Systems

Chainguard‑provided apko versions from 0.14.8 up to (but not including) 1.1.1 are affected. The fix was released with version 1.1.1, which validates path boundaries and prevents the described write escalation.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of under 1% suggests that exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can supply a compromised or typosquatted APK package to the build process; the attack vector is therefore indirect but can occur if build pipelines rely on external repositories or untrusted package sources.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apko to version 1.1.1 or later to apply the path‑validation fix.
  • Restrict the sources of APK packages used in your build pipeline; only fetch from trusted, signed repositories.
  • Isolate the build environment with minimal permissions so that even if a malicious file is written, it cannot affect system daemons or critical configuration.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5g94-c2wx-8pxw apko has a path traversal in apko dirFS which allows filesystem writes outside base
History

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard apko
Weaknesses CWE-22
CPEs cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard apko

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Title apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Chainguard Apko
Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:18:52.495Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25121

cve-icon Vulnrichment

Updated: 2026-02-04T19:18:24.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T19:16:14.790

Modified: 2026-02-20T21:31:35.587

Link: CVE-2026-25121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses