apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root — CVE-2026-42574
GitHub · GitHub · CVE-2026-42574
ID
CVE-2026-42574
CVE-2026-42574
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.5
7.5
EPSS
0.0005
0.0005
Summary
### Impact A crafted `.apk` could install a `TypeSymlink` tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the `sanitizePath` helper in `pkg/apk/fs/rwosfs.go`, which rejected only lexical `..` traversal and did not resolve or…
Product
go: chainguard.dev/apko
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.