apko CVE-2026-42576
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34.
Fix: No fix available yet.
Acknowledgements
apko thanks Oleh Konko from 1seal for discovering and reporting this issue.
AnalysisAI
Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.
Technical ContextAI
The vulnerability exists in the DiscoverKeys function within pkg/apk/apk/implementation.go of apko, a tool for building container images using APK packages. The function fetches JSON Web Key Sets (JWKS) from repository endpoints to verify package signatures. The root cause (CWE-704: Incorrect Type Conversion or Cast) stems from an unconditional type assertion that assumes all JWKS keys are RSA public keys without validating the actual key type. When a repository returns elliptic curve (EC) or other non-RSA keys, the assertion fails at runtime, triggering a Go panic that crashes the apko process. This affects the APK package manager integration layer responsible for key discovery during database initialization.
RemediationAI
Upgrade apko to version 1.2.7 or later, which resolves the unchecked type assertion by validating JWKS key types before casting. If immediate upgrade is not feasible, implement network-layer compensating controls: restrict outbound connections from CI/CD runners to only trusted, internally-managed APK repository JWKS endpoints using firewall rules or proxy filtering, and disable or remove any APK repository configurations pointing to external or untrusted sources. A secondary mitigation would involve running apko in a containerized sandbox with resource limits to prevent process crashes from affecting the host system, though this does not prevent the denial of service to the build pipeline itself. Review all configured APK repository endpoints to identify high-risk sources, and prioritize upgrades for environments using third-party repositories. See GitHub advisory GHSA-m7hm-vm4x-28jf for official guidance.
Same weakness CWE-704 – Incorrect Type Conversion or Cast
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-m7hm-vm4x-28jf