Listen to this Post
How the mentioned CVE works (approximately 20 lines):
The vulnerability arises from a flawed path sanitization in apko versions prior to 1.2.5. The `sanitizePath` helper in `pkg/apk/fs/rwosfs.go` only rejected lexical `..` sequences but did not resolve or block symbolic links. A malicious `.apk` file can include a `TypeSymlink` tar entry whose target points outside the build root (e.g., `/etc/shadow` or /root/.ssh). Later in the same or a subsequent archive, a directory-creation (MkdirAll/Mkdir) or file-write (WriteFile) entry can then traverse that symlink. Because the `DirFS` methods—ReadFile, WriteFile, Chmod, Chown, Chtimes, MkdirAll, Mkdir, and Mknod—pass caller-supplied paths directly to symlink-following standard library calls, the symlink is followed, allowing writes outside the intended build root. The primitive is reachable via `apko build-cpio` and disk-backed consumers like `melange` during tar extraction. The in-memory `tarfs` install path (apko build, apko publish, apko build-minirootfs) is not affected. The patch in apko v1.2.5 replaces all `DirFS` operations with Go 1.24’s os.Root, which inherently blocks traversal via .., absolute/relative symlinks, and hardlinks.
dailycve form:
Platform: apko
Version: pre-1.2.5
Vulnerability: Symlink traversal
Severity: Critical
date: 2026-05-04
Prediction: Already patched (v1.2.5)
Analytics under What Undercode Say:
Simulate malicious APK creation (conceptual) tar --symlink --xform='s|.|../../etc/passwd|' -cf malicious.apk symlink tar --append --file=malicious.apk --transform='s|.|../../etc/passwd|' -T <(echo "data") Check vulnerable apko version apko version | grep -q "v1.2.[0-4]" && echo "Vulnerable" Audit running melange or apko commands grep -r "sanitizePath" $(which apko) && echo "Uses pre-patch code" After upgrade, verify fix using test go test -run TestPathTraversal ./pkg/apk/apk/...
Exploit:
- Craft an APK containing a symlink entry pointing outside build root (e.g.,
../../etc/shadow). - Include a subsequent directory or file entry that writes through that symlink.
- During `apko build-cpio` or `melange` execution, the archive extraction follows the symlink, overwriting host files.
Protection from this CVE:
- Upgrade to apko v1.2.5 or later (commit f5a96e1).
- If upgrade is impossible, avoid processing untrusted APKs; use only signed, trusted sources (reduces but does not eliminate risk).
- No complete workaround; the fix replaces `sanitizePath` with `os.Root` which blocks symlink escape by design.
Impact:
- A crafted APK can write arbitrary files outside the build root, leading to host system compromise (e.g., overwriting SSH keys, modifying
/etc/passwd, planting rootkits). - Affects all disk-backed operations in apko pre-1.2.5 and any tool embedding the vulnerable `pkg/apk/fs` (e.g., melange).
- The in-memory tarfs path (apko build/publish) is not vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
