CVE-2026-25121
Published: 04 February 2026
Summary
CVE-2026-25121 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Chainguard Apko. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in apko's dirFS (via malicious APK package from compromised/typosquatted repo) directly enables arbitrary directory/symlink creation outside the build root on the host, mapping to compromise of software dependencies and development tools in the supply chain.
NVD Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package…
more
(e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Deeper analysisAI
CVE-2026-25121 is a path traversal vulnerability in apko, a tool for building and publishing OCI container images from apk packages. The issue affects versions from 0.14.8 up to but not including 1.1.1 and resides in the dirFS filesystem abstraction, specifically the MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go. These methods use filepath.Join() to construct paths without validating that the resulting path remains within the intended base installation directory, allowing traversal outside the root. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWEs-23 (Path Traversal) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
An attacker can exploit this vulnerability by supplying a malicious APK package, such as through a compromised or typosquatted repository. Users of vulnerable apko versions who build container images from such packages enable the attacker to create directories or symlinks outside the intended installation root on the host filesystem. This requires no privileges and can be performed remotely with low complexity, resulting in high integrity impact but no confidentiality or availability disruption.
The vulnerability has been patched in apko version 1.1.1. Security practitioners should upgrade to this version or later. Additional details are available in the Chainguard GitHub security advisory (GHSA-5g94-c2wx-8pxw) and the patching commit (d8b7887a968a527791b3c591ae83928cb49a9f14).
Details
- CWE(s)