NIXPKGS-2026-0093

GitHub issue published on 5 Feb 2026

Permalink CVE-2026-25121

updated 2 weeks, 2 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 3 days ago
@LeSuisse accepted 2 weeks, 2 days ago
@LeSuisse published on GitHub 2 weeks, 2 days ago

apko is vulnerable to path traversal in apko dirFS which allows filesystem writes outside base

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1.

Affected products

apko

==>= 0.14.8, < 1.1.1

Matching in nixpkgs

pkgs.apko

Build OCI images using APK directly without Dockerfile

nixos-unstable 1.0.5
- nixpkgs-unstable 1.0.5
- nixos-unstable-small 1.0.5
nixos-25.11 0.30.22
- nixos-25.11-small 0.30.22
- nixpkgs-25.11-darwin 0.30.22

Package maintainers

@emilylange Emily Lange <nix@emilylange.de>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

Upstream advisory: https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw
Upstream patch: https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0093

Affected products

Matching in nixpkgs

pkgs.apko

Package maintainers