CVE-2026-25121
Unknown Unknown - Not Provided
Path Traversal in apko dirFS Allows Arbitrary Directory Creation

Publication date: 2026-02-04

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25121
EUVD
EUVD-2026-5380
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chainguard apko From 0.14.8 (inc) to 1.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in apko versions from 0.14.8 to before 1.1.1 in its dirFS filesystem abstraction. It is a path traversal vulnerability where an attacker who can supply a malicious APK packageβ€”such as through a compromised or typosquatted repositoryβ€”can create directories or symbolic links outside the intended installation root. This happens because certain methods (MkdirAll, Mkdir, and Symlink) use filepath.Join() without validating that the resulting path remains within the base directory.

The issue allows attackers to escape the intended directory boundaries, potentially leading to unauthorized file system modifications.

Impact Analysis

This vulnerability can impact you by allowing an attacker to create directories or symbolic links outside the intended installation root of apko container images. This could lead to unauthorized modifications of the file system, potentially enabling further attacks such as code execution, privilege escalation, or tampering with system files.

Since the vulnerability does not affect confidentiality or availability directly (CVSS indicates no impact on confidentiality or availability), the main risk is integrity compromise of the system or container environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade apko to version 1.1.1 or later, where the path traversal issue in the dirFS filesystem abstraction has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25121. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart