CVE-2026-25122
MEDIUM5.5EPSS 0.02%apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams
描述
`expandapk.Split` drains the first gzip stream of an APK archive via `io.Copy(io.Discard, gzi)` without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The `Split` function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. **Fix:** Fixed with [2be3903](https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09), Released in v1.1.0. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.
受影響套件(2)
- Go/chainguard.dev/apko>= 0.14.8, < 1.1.0
- Go/chainguard.dev/apko>= 0.14.8, < 1.1.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |