CVE-2026-25121 in apko
Summary
by MITRE • 02/04/2026
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability identified as CVE-2026-25121 affects apko, a tool designed for building and publishing OCI container images from apk packages commonly used in Alpine Linux environments. This path traversal flaw exists within apko's dirFS filesystem abstraction layer, specifically in the rwosfs.go file where critical filesystem operations are implemented. The vulnerability impacts versions 0.14.8 through 1.1.0, creating a significant security risk for container image building processes that rely on this tool. The flaw stems from inadequate path validation mechanisms in the MkdirAll, Mkdir, and Symlink methods, which utilize filepath.Join() without proper bounds checking against the intended installation root directory.
The technical exploitation of this vulnerability occurs when an attacker can inject a malicious APK package into the build process, either through a compromised package repository or by targeting typosquatted package names. When apko processes such malicious packages, the flawed filesystem abstraction allows the creation of directories or symbolic links outside the designated installation root. This path traversal capability enables attackers to manipulate the filesystem structure beyond the intended boundaries, potentially leading to arbitrary file creation, modification, or deletion in the build environment. The vulnerability directly maps to CWE-22 Path Traversal and represents a classic example of insufficient input validation in filesystem operations. The issue is particularly concerning in containerized environments where build processes may have elevated privileges and access to sensitive system resources.
The operational impact of CVE-2026-25121 extends beyond simple filesystem manipulation, as it can enable attackers to compromise the integrity of container image builds. When an attacker successfully exploits this vulnerability, they can potentially inject malicious code into the build process, create backdoors in container images, or manipulate the filesystem to persistently compromise the build environment. This vulnerability is especially dangerous in CI/CD pipelines where automated container builds occur, as it could allow attackers to compromise the entire build infrastructure. The attack surface is broadened by the fact that attackers only need to compromise a single package repository or convince users to install a malicious package, making this a high-impact vulnerability for organizations relying on apko for container image creation. The vulnerability also aligns with ATT&CK technique T1059 Command and Scripting Interpreter, as it enables attackers to execute arbitrary commands through filesystem manipulation.
Organizations using apko should immediately upgrade to version 1.1.1 or later to remediate this vulnerability, as the patch addresses the core path traversal issue by implementing proper path validation mechanisms. The fix ensures that all filesystem operations remain within the designated installation root by validating paths before executing directory creation or symlink operations. Additional mitigations include implementing strict package repository validation, using trusted package sources only, and conducting regular security audits of build environments. Organizations should also consider implementing network segmentation and access controls around package repositories to limit potential attack vectors. The vulnerability demonstrates the critical importance of proper input validation in filesystem operations, particularly in tools that handle untrusted package data. Security teams should monitor for potential exploitation attempts through anomalous filesystem activity or unexpected directory creation patterns in build environments. Regular security training for development teams on package management security and the importance of source verification can also help prevent exploitation of similar vulnerabilities in the future.