apko dirFS has a symlink-following path traversal that allows multiple...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

Basic Information

ID CVE-2026-42574

Source GitHub_M

Published May 9, 2026 at 19:24

Affected Product

Vendor chainguard-dev

Product apko

Version >= 0.14.8, < 1.2.5

Affected Versions chainguard-dev apko >= 0.14.8, < 1.2.5

CWE Classification

CWE-22 CWE-59

References

{
    "lastseen": "",
    "description": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.",
    "published": "2026-05-09T19:24:48.497Z",
    "modified": "2026-05-09T19:24:48.497Z",
    "type": "cve",
    "title": "apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root",
    "source": "GitHub_M",
    "references": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6\nhttps://github.com/chainguard-dev/apko/pull/2187\nhttps://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442\nhttps://github.com/chainguard-dev/apko/releases/tag/v1.2.5",
    "id": "CVE-2026-42574",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "chainguard-dev apko >= 0.14.8, < 1.2.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "apko",
    "version": ">= 0.14.8, < 1.2.5",
    "vendor": "chainguard-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root_CVE-2026-42574