Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25140

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.

References

https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 x_refsource_CONFIRM
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 x_refsource_MISC

Affected products

apko

==>= 0.14.8, < 1.1.1

Matching in nixpkgs

pkgs.apko

Build OCI images using APK directly without Dockerfile

nixos-unstable -
- nixpkgs-unstable 1.0.5
nixos-25.11 0.30.22

Package maintainers

@06kellyjac Jack <hello+nixpkgs@j-k.io>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@emilylange Emily Lange <nix@emilylange.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.apko

Package maintainers