Skip to content

Commit 4b16635

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5g94-c2wx-8pxw GHSA-6p9p-q6wh-9j89
1 parent fb86a15 commit 4b16635

File tree

2 files changed

+122
-0
lines changed

2 files changed

+122
-0
lines changed

advisories/github-reviewed/2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5g94-c2wx-8pxw",
4+
"modified": "2026-02-03T23:57:48Z",
5+
"published": "2026-02-03T23:57:48Z",
6+
"aliases": [
7+
"CVE-2026-25121"
8+
],
9+
"summary": "apko has a path traversal in apko dirFS which allows filesystem writes outside base",
10+
"details": "A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory.\n\n**Fix:** Fixed by [d8b7887](https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14). Merged into release. \n\n**Acknowledgements** \n \napko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "chainguard.dev/apko"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.14.8"
29+
},
30+
{
31+
"fixed": "1.1.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/chainguard-dev/apko"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-23"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-02-03T23:57:48Z",
59+
"nvd_published_at": null
60+
}
61+
}

advisories/github-reviewed/2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6p9p-q6wh-9j89",
4+
"modified": "2026-02-03T23:58:37Z",
5+
"published": "2026-02-03T23:58:37Z",
6+
"aliases": [
7+
"CVE-2026-25122"
8+
],
9+
"summary": "apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams ",
10+
"details": "`expandapk.Split` drains the first gzip stream of an APK archive via `io.Copy(io.Discard, gzi)` without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). \n \nThe `Split` function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. \n \n**Fix:** Fixed with [2be3903](https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09), Released in v1.1.0. \n \n**Acknowledgements** \n \napko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "chainguard.dev/apko"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.14.8"
29+
},
30+
{
31+
"fixed": "1.1.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/chainguard-dev/apko"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-400"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-02-03T23:58:37Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)