CVE-2026-25140
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Analysis
Apko versions 0.14.8 through 1.1.0 are vulnerable to denial of service when processing APK packages from untrusted repositories due to missing decompression limits in the ExpandApk function. An attacker controlling a compromised APK repository can provide a malicious small, highly-compressed package that expands into a massive tar stream, exhausting disk space and CPU resources on the build host. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running apko versions 0.14.8 through 1.1.0 and assess exposure to untrusted APK repositories. Within 7 days: Upgrade apko to version 1.1.1 or later across all build environments and validate patch deployment. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today