CVE-2026-25121

HIGH7.5EPSS 0.02%

apko has a path traversal in apko dirFS which allows filesystem writes outside base

Published: 2/3/2026Modified: 2/23/2026

Also known as:GHSA-5g94-c2wx-8pxwCGA-8rrf-mq5r-w436GO-2026-4405

Description

A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. **Fix:** Fixed by [d8b7887](https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14). Merged into release. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

Affected packages (2)

Go/chainguard.dev/apko>= 0.14.8, < 1.1.0
Go/chainguard.dev/apko>= 0.14.8, < 1.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

Affected packages (2)

CVSS scores

References (4)