Skip to main content

apko CVE-2026-42576

MEDIUM
Incorrect Type Conversion or Cast (CWE-704)
2026-05-04 https://github.com/chainguard-dev/apko GHSA-m7hm-vm4x-28jf
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 21:47 vuln.today
Analysis Generated
May 04, 2026 - 21:47 vuln.today

DescriptionGitHub Advisory

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34.

Fix: No fix available yet.

Acknowledgements

apko thanks Oleh Konko from 1seal for discovering and reporting this issue.

AnalysisAI

Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. No patch is currently available, though the issue is confirmed and acknowledged by the apko maintainers.

Technical ContextAI

The vulnerability exists in the DiscoverKeys function within pkg/apk/apk/implementation.go of apko, a tool for building container images using APK packages. The function fetches JSON Web Key Sets (JWKS) from repository endpoints to verify package signatures. The root cause (CWE-704: Incorrect Type Conversion or Cast) stems from an unconditional type assertion that assumes all JWKS keys are RSA public keys without validating the actual key type. When a repository returns elliptic curve (EC) or other non-RSA keys, the assertion fails at runtime, triggering a Go panic that crashes the apko process. This affects the APK package manager integration layer responsible for key discovery during database initialization.

RemediationAI

Upgrade apko to version 1.2.7 or later, which resolves the unchecked type assertion by validating JWKS key types before casting. If immediate upgrade is not feasible, implement network-layer compensating controls: restrict outbound connections from CI/CD runners to only trusted, internally-managed APK repository JWKS endpoints using firewall rules or proxy filtering, and disable or remove any APK repository configurations pointing to external or untrusted sources. A secondary mitigation would involve running apko in a containerized sandbox with resource limits to prevent process crashes from affecting the host system, though this does not prevent the denial of service to the build pipeline itself. Review all configured APK repository endpoints to identify high-risk sources, and prioritize upgrades for environments using third-party repositories. See GitHub advisory GHSA-m7hm-vm4x-28jf for official guidance.

Share

CVE-2026-42576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy