DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34.
Fix: No fix available yet.
Acknowledgements
apko thanks Oleh Konko from 1seal for discovering and reporting this issue.
| Score | Percentile |
|---|---|
| 0.03% | 10.41% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-m7hm-vm4x-28jf ↗ |
| CVE | CVE-2026-42576 ↗ |
| CWE id | Name |
|---|---|
| CWE-704 | Incorrect Type Conversion or Cast |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | chainguard.dev/apko | < 1.2.7 | 1.2.7 | — |