CVE-2026-42574
Symlink Traversal in apko Container Image Builder
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chainguard-dev | apko | From 0.14.8 (inc) to 1.2.5 (exc) |
| chainguard-dev | apko | 1.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42574 is a high-severity vulnerability in the apko tool versions from 0.14.8 up to but not including 1.2.5. The issue arises because a crafted .apk file can include a TypeSymlink tar entry that points outside the intended build root directory. This symlink can then be exploited by subsequent directory creation or file write operations within the same or later archive to traverse the symlink and access host system paths that the build user can write to.
The root cause is that the path sanitization function only blocked lexical ".." traversal but did not handle symlinks properly. As a result, multiple filesystem operations that follow symlinks could be tricked into escaping the build root. This vulnerability allows unauthorized modification of files outside the build environment.
The issue was fixed in apko version 1.2.5 by routing all filesystem operations through Go 1.24's os.Root, which inherently blocks symlink traversal and prevents escaping the root directory.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to modify files outside the intended build environment without authorization. Specifically, a malicious .apk package can exploit the symlink traversal flaw to write to arbitrary host paths that the build user has write permissions for.
The impact is primarily on data integrity, as unauthorized modifications can be made to files on the host system. The vulnerability has a high severity score (CVSS 7.5) with low attack complexity, no privileges required, and no user interaction needed, making it relatively easy to exploit.
There is no complete workaround other than upgrading to apko version 1.2.5 or later. Using only signed APKs from trusted sources can reduce but not eliminate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information to identify exploitation of this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the apko tool to version 1.2.5 or later, where the vulnerability has been fixed by routing filesystem operations through Go 1.24's os.Root, which blocks symlink traversal and path escapes.
There is no complete workaround other than upgrading. Consuming only signed APK packages from trusted sources can reduce exposure but does not eliminate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in apko allows crafted .apk files to perform path traversal via symlinks, enabling unauthorized modification of host paths writable by the build user. This primarily impacts data integrity by allowing unauthorized changes to files during the build process.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for unauthorized modification of files could potentially lead to violations of data integrity requirements mandated by these regulations if sensitive data or systems are affected.
Organizations relying on apko for building container images should upgrade to version 1.2.5 or later to mitigate this risk and help maintain compliance with data protection standards that require safeguarding against unauthorized data modification.