CVE-2026-25121
Path Traversal in apko dirFS Allows Arbitrary Directory Creation
Publication date: 2026-02-04
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard | apko | From 0.14.8 (inc) to 1.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in apko versions from 0.14.8 to before 1.1.1 in its dirFS filesystem abstraction. It is a path traversal vulnerability where an attacker who can supply a malicious APK packageβsuch as through a compromised or typosquatted repositoryβcan create directories or symbolic links outside the intended installation root. This happens because certain methods (MkdirAll, Mkdir, and Symlink) use filepath.Join() without validating that the resulting path remains within the base directory.
The issue allows attackers to escape the intended directory boundaries, potentially leading to unauthorized file system modifications.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to create directories or symbolic links outside the intended installation root of apko container images. This could lead to unauthorized modifications of the file system, potentially enabling further attacks such as code execution, privilege escalation, or tampering with system files.
Since the vulnerability does not affect confidentiality or availability directly (CVSS indicates no impact on confidentiality or availability), the main risk is integrity compromise of the system or container environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade apko to version 1.1.1 or later, where the path traversal issue in the dirFS filesystem abstraction has been patched.