Platform
go
Component
chainguard.dev/apko
Fixed in
0.14.9
1.1.0
CVE-2026-25121 describes a Path Traversal vulnerability discovered in the chainguard.dev/apko package, a tool for building APK images. This flaw allows an attacker to potentially create directories or symbolic links outside the intended installation root, leading to unauthorized access or modification of system files. The vulnerability affects versions prior to 1.1.0 and has been resolved in the 1.1.0 release.
The impact of this vulnerability is significant. An attacker who can inject a malicious APK package, for example, through a compromised repository or typosquatting, can leverage the Path Traversal flaw to escape the intended installation boundaries. This could allow them to write files to arbitrary locations on the system, potentially overwriting critical system files, installing malware, or gaining persistent access. The ability to create symbolic links further amplifies the risk, as attackers could redirect system resources or create deceptive file structures. This vulnerability highlights the importance of secure package management and verifying the integrity of software sources.
This vulnerability is publicly known and documented in the CVE database. While no active exploitation campaigns have been reported as of the publication date, the ease of exploitation and the potential impact make it a concerning issue. The vulnerability's presence in a package management tool increases the risk of widespread exploitation if malicious packages are distributed through compromised repositories. No KEV listing is currently available.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25121 is to upgrade to version 1.1.0 or later of chainguard.dev/apko. If upgrading is not immediately feasible, consider implementing stricter input validation on APK packages before processing them. This could involve whitelisting allowed package sources or implementing checks to ensure that the APK package does not contain suspicious file paths. Additionally, review and harden the permissions granted to the apko process to limit its ability to write to sensitive locations. After upgrading, confirm the fix by attempting to create directories or symbolic links outside the intended installation root using a test APK package.
Update the version of apko to 1.1.1 or higher. This corrects the path traversal vulnerability that allows file writing outside the base directory. You can obtain the latest version from the official repository or using the corresponding package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25121 is a HIGH severity Path Traversal vulnerability in chainguard.dev/apko, allowing attackers to create directories/symlinks outside the intended installation root via malicious APK packages.
You are affected if you are using chainguard.dev/apko versions prior to 1.1.0 and have not implemented mitigating controls.
Upgrade to version 1.1.0 or later of chainguard.dev/apko. Implement stricter input validation on APK packages if immediate upgrade is not possible.
No active exploitation campaigns have been reported as of the publication date, but the vulnerability's ease of exploitation warrants caution.
Refer to the chainguard.dev/apko GitHub repository for updates and advisories: https://github.com/chainguard-dev/apko
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.