CVE-2026-25121
- Source
- https://cve.org/CVERecord?id=CVE-2026-25121
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25121.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25121
- Aliases
- Downstream
- Related
- Published
- 2026-02-04T19:02:17.979Z
- Modified
- 2026-03-01T02:57:08.021819Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base
- Details
-
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-23" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25121.json" }- References
Affected packages
Git / github.com/chainguard-dev/apko
Affected versions
0.*
0.27.8
v0.*
v0.14.8
v0.14.9
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.18.1
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.19.4
v0.19.5
v0.19.6
v0.19.7
v0.19.8
v0.19.9
v0.20.0
v0.20.1
v0.20.2
v0.21.0
v0.22.1
v0.22.2
v0.22.3
v0.22.4
v0.22.5
v0.22.6
v0.22.7
v0.23.0
v0.24.0
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.25.4
v0.25.5
v0.25.6
v0.25.7
v0.26.0
v0.26.1
v0.27.0
v0.27.1
v0.27.2
v0.27.3
v0.27.4
v0.27.5
v0.27.6
v0.27.7
v0.27.9
v0.28.0
v0.29.0
v0.29.1
v0.29.10
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.29.6
v0.29.7
v0.29.8
v0.29.9
v0.30.0
v0.30.1
v0.30.10
v0.30.11
v0.30.12
v0.30.13
v0.30.14
v0.30.15
v0.30.16
v0.30.17
v0.30.18
v0.30.19
v0.30.2
v0.30.20
v0.30.21
v0.30.22
v0.30.23
v0.30.24
v0.30.25
v0.30.26
v0.30.27
v0.30.28
v0.30.29
v0.30.3
v0.30.30
v0.30.31
v0.30.32
v0.30.33
v0.30.34
v0.30.35
v0.30.4
v0.30.5
v0.30.6
v0.30.7
v0.30.8
v0.30.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0