apko hat eine Pfadüberschreitung in apko dirFS, die Dateisystemschreibungen außerhalb der Basis ermöglicht

The core of the vulnerability lies in the filepath.Join() function used within the MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go. This function doesn't adequately validate the resulting path, allowing an attacker to craft a malicious APK package that, when processed by apko, creates files or links outside of the designated installation directory. Successful exploitation could lead to arbitrary file system access, potentially allowing an attacker to overwrite critical system files, execute malicious code, or gain persistent access to the system. The impact is amplified if apko is used in automated build pipelines or within container orchestration environments, as a compromised APK repository could silently inject malicious components into deployed applications.

Organizations and developers using chainguard.dev/apko for building APK images, particularly those relying on external or untrusted repositories for APK packages, are at risk. Shared hosting environments where multiple users share the same apko installation are also particularly vulnerable, as a compromised APK package from one user could potentially impact other users.

• linux / server: Monitor apko process file system activity using lsof or auditd for unexpected writes outside the intended installation directory.

lsof -p $(pgrep apko) | grep '/outside/intended/path/'

• generic web: Inspect APK package metadata for suspicious file paths or directory structures before processing. Use tools like zip -v to examine the contents of the APK. • go: Review the pkg/apk/fs/rwosfs.go file for instances of filepath.Join() without proper path validation. Look for potential bypasses of intended directory boundaries.

1. 2026-02-03Disclosure

   disclosure

1. Reserviert2026-01-29
2. Veröffentlicht2026-02-03
3. Geändert2026-02-23
4. EPSS aktualisiert2026-03-23

The primary mitigation for CVE-2026-25121 is to upgrade to version 1.1.0 or later of chainguard.dev/apko. This version includes a fix that properly validates file paths, preventing the path traversal vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation on APK packages before processing them with apko. This could involve verifying the source of the APK, checking its checksum, and scanning it for suspicious content. While not a direct fix, restricting the permissions of the user account running apko can limit the potential damage from a successful exploit. After upgrading, confirm the fix by attempting to create a symbolic link outside the intended installation directory using a malicious APK package; the operation should fail.