GHSA-QQ3R-W4HJ-GJP6

Vulnerability from github – Published: 2026-05-04 21:26 – Updated: 2026-05-13 13:42
VLAI?
Summary
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Details

Impact

A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the sanitizePath helper in pkg/apk/fs/rwosfs.go, which rejected only lexical .. traversal and did not resolve or refuse symlinks. Every disk-backed DirFS method that handed its caller-supplied path to a symlink-following stdlib call — ReadFile, WriteFile, Chmod, Chown, Chtimes, MkdirAll, Mkdir, and Mknod — was affected. The reachable primitive from a malicious APK during tar extraction is the MkdirAll / Mkdir / WriteFile chain via apko build-cpio and disk-backed consumers such as melange; the remaining sinks are reachable by direct callers of the pkg/apk/fs package. The in-memory tarfs install path used by apko build, apko publish, and apko build-minirootfs is not affected.

Patches

Fixed in apko v1.2.5 by #2187 / commit f5a96e1, which scopes all DirFS operations through a Go 1.24 *os.Root. The sanitizePath helper has been removed; *os.Root refuses traversal via .., absolute-target symlinks, relative-target symlinks, and hardlinks by construction. Regression tests in pkg/apk/apk/path_traversal_test.go cover each composite primitive.

Workarounds

No complete workaround. Operators running pre-1.2.5 apko (or downstream tools such as melange that embed pre-1.2.5 pkg/apk/fs) should upgrade. Consuming only APKs from trusted, signed sources reduces but does not eliminate exposure.

Resources

  • https://github.com/chainguard-dev/apko/pull/2187
  • https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
  • https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
  • Related: GHSA-5g94-c2wx-8pxw (CVE-2026-25121) — prior lexical .. traversal fix

Credits

apko thanks Oleh Konko (@1seal from 1seal.org) for the initial report of the symlink-escape class, and to @Xh081iX for a follow-up set of reports covering additional reachable primitives (ReadFile, Chmod/Chown, Mknod, MkdirAll/Mkdir) that shaped the comprehensive fix.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "chainguard.dev/apko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.8"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:26:47Z",
    "nvd_published_at": "2026-05-09T20:16:29Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA crafted `.apk` could install a `TypeSymlink` tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the `sanitizePath` helper in `pkg/apk/fs/rwosfs.go`, which rejected only lexical `..` traversal and did not resolve or refuse symlinks. Every disk-backed `DirFS` method that handed its caller-supplied path to a symlink-following stdlib call \u2014 `ReadFile`, `WriteFile`, `Chmod`, `Chown`, `Chtimes`, `MkdirAll`, `Mkdir`, and `Mknod` \u2014 was affected. The reachable primitive from a malicious APK during tar extraction is the `MkdirAll` / `Mkdir` / `WriteFile` chain via `apko build-cpio` and disk-backed consumers such as `melange`; the remaining sinks are reachable by direct callers of the `pkg/apk/fs` package. The in-memory `tarfs` install path used by `apko build`, `apko publish`, and `apko build-minirootfs` is not affected.\n\n### Patches\n\nFixed in apko **v1.2.5** by [#2187](https://github.com/chainguard-dev/apko/pull/2187) / commit [f5a96e1](https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442), which scopes all `DirFS` operations through a Go 1.24 `*os.Root`. The `sanitizePath` helper has been removed; `*os.Root` refuses traversal via `..`, absolute-target symlinks, relative-target symlinks, and hardlinks by construction. Regression tests in `pkg/apk/apk/path_traversal_test.go` cover each composite primitive.\n\n### Workarounds\n\nNo complete workaround. Operators running pre-1.2.5 apko (or downstream tools such as melange that embed pre-1.2.5 `pkg/apk/fs`) should upgrade. Consuming only APKs from trusted, signed sources reduces but does not eliminate exposure.\n\n### Resources\n\n- https://github.com/chainguard-dev/apko/pull/2187\n- https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442\n- https://github.com/chainguard-dev/apko/releases/tag/v1.2.5\n- Related: GHSA-5g94-c2wx-8pxw (CVE-2026-25121) \u2014 prior lexical `..` traversal fix\n\n### Credits\n\napko thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for the initial report of the symlink-escape class, and to [@Xh081iX](https://github.com/Xh081iX) for a follow-up set of reports covering additional reachable primitives (`ReadFile`, `Chmod`/`Chown`, `Mknod`, `MkdirAll`/`Mkdir`) that shaped the comprehensive fix.",
  "id": "GHSA-qq3r-w4hj-gjp6",
  "modified": "2026-05-13T13:42:42Z",
  "published": "2026-05-04T21:26:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/pull/2187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/apko"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/releases/tag/v1.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.