CVE-2025-53945
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard-dev | apko | 0.29.5 |
| chainguard-dev | apko | 0.27.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in apko involves the file /etc/ld.so.cache being created with overly permissive file permissions (0666), making it world-writable. This allows local unprivileged users to modify the file, enabling them to add arbitrary directories containing malicious dynamic libraries to the dynamic loader path. As a result, an attacker could cause the system to load and execute malicious libraries, potentially compromising system security and enabling root escalation. The issue was introduced in version 0.27.0 and fixed in version 0.29.5. [2, 3]
How can this vulnerability impact me? :
The vulnerability can allow a local attacker with low privileges to modify the /etc/ld.so.cache file, inserting paths to malicious dynamic libraries. When the dynamic linker loads these libraries, it can lead to unauthorized code execution with elevated privileges, potentially resulting in root escalation. This compromises system confidentiality, integrity, and availability to varying degrees, making the system vulnerable to serious security breaches. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the file permissions of /etc/ld.so.cache in container images built with apko versions from 0.27.0 up to but not including 0.29.5. Specifically, look for overly permissive permissions set to 0666 (world-writable). A command to check this would be: ls -l /etc/ld.so.cache. If the permissions show -rw-rw-rw- (0666), the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade apko to version 0.29.5 or later, where the file permission issue on /etc/ld.so.cache has been fixed by setting the permissions to 0644. Alternatively, you can manually correct the permissions on /etc/ld.so.cache by running chmod 0644 /etc/ld.so.cache to remove write permissions for group and others. [2, 3]