Home

Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Product status

>= 0.14.8, < 1.2.5
affected

References

github.com/...v/apko/security/advisories/GHSA-qq3r-w4hj-gjp6

github.com/chainguard-dev/apko/pull/2187

github.com/...ommit/f5a96e1299ac81c7ea9441705ec467688086f442

github.com/chainguard-dev/apko/releases/tag/v1.2.5

cve.org (CVE-2026-42574)

nvd.nist.gov (CVE-2026-42574)

Download JSON