CVE-2026-25121
HIGH
GHSA-5g94-c2wx-8pxw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Tags
Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Analysis
Apko versions up to 1.1.1 contains a vulnerability that allows attackers to build and publish OCI container images built from apk packages (CVSS 7.5).
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Apko versions up to 1.1.1 and assess their role in your container build pipeline. Within 7 days: Apply the available patch to all affected Apko installations and validate patch deployment across development and CI/CD environments. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today