CVE-2026-42574: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in chainguard-dev apko
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
AI Analysis
Technical Summary
The vulnerability in apko (versions >=0.14.8 and <1.2.5) involves improper limitation of pathname to a restricted directory (CWE-22) combined with symbolic link handling (CWE-59). A malicious .apk package can create a symlink in the tar archive that points outside the intended build root directory. Subsequent directory or file creation entries in the same or later archive can traverse this symlink, enabling writes to arbitrary paths on the host system where the build user has write permissions. This can lead to unauthorized file writes outside the build environment. The issue was patched in apko version 1.2.5.
Potential Impact
An attacker who can supply a crafted .apk package to apko during the container image build process can cause arbitrary file writes outside the intended build root directory. This could lead to unauthorized modification of files on the host system with the privileges of the build user. There is no confidentiality impact reported, but integrity is highly impacted. Availability is not affected. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade apko to version 1.2.5 or later, where this path traversal vulnerability has been patched. Until the upgrade is applied, avoid building container images from untrusted .apk packages. Patch status is confirmed by the vendor advisory indicating the fix in version 1.2.5.
CVE-2026-42574: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in chainguard-dev apko
Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in apko (versions >=0.14.8 and <1.2.5) involves improper limitation of pathname to a restricted directory (CWE-22) combined with symbolic link handling (CWE-59). A malicious .apk package can create a symlink in the tar archive that points outside the intended build root directory. Subsequent directory or file creation entries in the same or later archive can traverse this symlink, enabling writes to arbitrary paths on the host system where the build user has write permissions. This can lead to unauthorized file writes outside the build environment. The issue was patched in apko version 1.2.5.
Potential Impact
An attacker who can supply a crafted .apk package to apko during the container image build process can cause arbitrary file writes outside the intended build root directory. This could lead to unauthorized modification of files on the host system with the privileges of the build user. There is no confidentiality impact reported, but integrity is highly impacted. Availability is not affected. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade apko to version 1.2.5 or later, where this path traversal vulnerability has been patched. Until the upgrade is applied, avoid building container images from untrusted .apk packages. Patch status is confirmed by the vendor advisory indicating the fix in version 1.2.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T17:26:12.085Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ff8cbdcbff5d86106ac335
Added to database: 5/9/2026, 7:36:29 PM
Last enriched: 5/9/2026, 7:51:26 PM
Last updated: 5/10/2026, 6:29:45 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.