Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion (Availability)
Action: Patch
AI Analysis

Impact

Apko allows builders to incorporate apk packages into container images. From version 0.14.8 up to (but not including) 1.1.0, the expandapk.Split function drains the first gzip stream of an APK archive without any explicit limit on uncompressed data or inflation ratio. An attacker can supply a crafted APK stream that inflates to a very large size, forcing the process to perform extensive CPU‑bound decompression. This results in significant resource exhaustion, causing timeouts or slowing the build process and thereby impacting availability.

Affected Systems

The vulnerability affects Chainguard Development’s open‑source apko tool. All releases from 0.14.8 through 1.0.x are impacted, while the fix is included in version 1.1.0 and later.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The most probable exploitation path involves an entity that controls the input to the apko build process; if an attacker can supply a malicious APK archive, they can induce the large‑scale decompression and trigger resource starvation. Because the attack requires the attacker’s input to be processed, the threat is more likely in contexts where untrusted packages are accepted or when building images from external sources.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apko to version 1.1.0 or newer to receive the official patch.
  • If upgrading is not feasible, run the apko build in a resource‑restricted environment, setting CPU and time limits to mitigate prolonged decompression.
  • Prior to calling expandapk.Split, validate the size and compression ratio of APK files and reject archives that exceed reasonable thresholds to avoid excessive inflation.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6p9p-q6wh-9j89 apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams
History

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard apko
Weaknesses CWE-770
CPEs cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*
Vendors & Products Chainguard
Chainguard apko

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0.
Title apko is vulnerable to unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Chainguard Apko
Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:19:35.546Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25122

cve-icon Vulnrichment

Updated: 2026-02-04T19:19:24.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T19:16:14.960

Modified: 2026-02-20T21:31:50.767

Link: CVE-2026-25122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses