GHSA-qq3r-w4hj-gjp6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qq3r-w4hj-gjp6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qq3r-w4hj-gjp6/GHSA-qq3r-w4hj-gjp6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qq3r-w4hj-gjp6
- Aliases
-
- CVE-2026-42574
- Downstream
- Related
- Published
- 2026-05-04T21:26:47Z
- Modified
- 2026-05-05T19:14:20.448654886Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
- Details
-
Impact
A crafted
.apkcould install aTypeSymlinktar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was thesanitizePathhelper inpkg/apk/fs/rwosfs.go, which rejected only lexical..traversal and did not resolve or refuse symlinks. Every disk-backedDirFSmethod that handed its caller-supplied path to a symlink-following stdlib call —ReadFile,WriteFile,Chmod,Chown,Chtimes,MkdirAll,Mkdir, andMknod— was affected. The reachable primitive from a malicious APK during tar extraction is theMkdirAll/Mkdir/WriteFilechain viaapko build-cpioand disk-backed consumers such asmelange; the remaining sinks are reachable by direct callers of thepkg/apk/fspackage. The in-memorytarfsinstall path used byapko build,apko publish, andapko build-minirootfsis not affected.Patches
Fixed in apko v1.2.5 by #2187 / commit f5a96e1, which scopes all
DirFSoperations through a Go 1.24*os.Root. ThesanitizePathhelper has been removed;*os.Rootrefuses traversal via.., absolute-target symlinks, relative-target symlinks, and hardlinks by construction. Regression tests inpkg/apk/apk/path_traversal_test.gocover each composite primitive.Workarounds
No complete workaround. Operators running pre-1.2.5 apko (or downstream tools such as melange that embed pre-1.2.5
pkg/apk/fs) should upgrade. Consuming only APKs from trusted, signed sources reduces but does not eliminate exposure.Resources
- https://github.com/chainguard-dev/apko/pull/2187
- https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
- https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
- Related: GHSA-5g94-c2wx-8pxw (CVE-2026-25121) — prior lexical
..traversal fix
Credits
apko thanks Oleh Konko (@1seal from 1seal.org) for the initial report of the symlink-escape class, and to @Xh081iX for a follow-up set of reports covering additional reachable primitives (
ReadFile,Chmod/Chown,Mknod,MkdirAll/Mkdir) that shaped the comprehensive fix. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-04T21:26:47Z", "cwe_ids": [ "CWE-22", "CWE-59" ], "severity": "HIGH", "nvd_published_at": null }- References
-
- https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6
- https://github.com/chainguard-dev/apko/pull/2187
- https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
- https://github.com/chainguard-dev/apko
- https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
Affected packages
Go / chainguard.dev/apko
Package
- Name
- chainguard.dev/apko
- View open source insights on deps.dev
- Purl
- pkg:golang/chainguard.dev/apko