Advisories for Golang/Chainguard.dev/Apko package

2026

apko has a path traversal in apko dirFS which allows filesystem writes outside base

A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. Fix: Fixed by d8b7887. Merged into release. Acknowledgements apko thanks Oleh Konko …

apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams

expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that …

2025

apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode 0666: bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache

2024

apko Exposure of HTTP basic auth credentials in log output

Exposure of HTTP basic auth credentials from repository and keyring URLs in log output