CVE-2026-25121: apko has a path traversal in apko dirFS which allows filesystem writes outside base

February 3, 2026 (updated February 4, 2026)

A Path Traversal vulnerability was discovered in apko’s dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory.

Fix: Fixed by d8b7887. Merged into release.

Acknowledgements

apko thanks Oleh Konko from 1seal for discovering and reporting this issue.

References

github.com/advisories/GHSA-5g94-c2wx-8pxw
github.com/chainguard-dev/apko
github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14
github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw
nvd.nist.gov/vuln/detail/CVE-2026-25121

Code Behaviors & Features

Detect and mitigate CVE-2026-25121 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →