Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25121

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

References

https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw x_refsource_CONFIRM
https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 x_refsource_MISC

Affected products

apko

==>= 0.14.8, < 1.1.1

Matching in nixpkgs

pkgs.apko

Build OCI images using APK directly without Dockerfile

nixos-unstable -
- nixpkgs-unstable 1.0.5
nixos-25.11 0.30.22

Package maintainers

@06kellyjac Jack <hello+nixpkgs@j-k.io>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@emilylange Emily Lange <nix@emilylange.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.apko

Package maintainers