GHSA-5g94-c2wx-8pxw · Severity: high · Ecosystem: go — apko has a path traversal in apko dirFS which allows filesystem writes outside base
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.
Conclusion & alert: CVE-2026-25121 is rated Low Risk (32.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-22 | 0.07% | 0.02% | -0.04% |
| 2 | 2026-02-18 | 0.04% | 0.07% | +0.03% |
| 3 | 2026-02-05 | — | 0.04% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-5g94-c2wx-8pxw · Severity: high · Ecosystem: go — apko has a path traversal in apko dirFS which allows filesystem writes outside base
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| chainguard | apko | >= 0.14.8, < 1.1.1 | cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:* |