Vamsik2K5

**Name of the Vulnerable Software and Affected Versions** apko versions 0.14.8 through 1.2.4 **Description** A crafted .apk file can install a `TypeSymlink` tar entry with a target pointing outside the build root. Subsequent directory-creation or file-write entries in the same or later archive can traverse this symlink to access host paths that the build user has permission to write to. The issue stems from the `sanitizePath` helper in `pkg/apk/fs/rwosfs.go`, which only rejected lexical `..` traversal and failed to resolve or refuse symlinks. This affects disk-backed `DirFS` methods that pass caller-supplied paths to symlink-following standard library calls, including `ReadFile()`, `WriteFile()`, `Chmod()`, `Chown()`, `Chtimes()`, `MkdirAll()`, `Mkdir()`, and `Mknod()`. The primary reachable primitive during tar extraction is the `MkdirAll()` / `Mkdir()` / `WriteFile()` chain via `apko build-cpio` and disk-backed consumers like `melange`. **Recommendations** Update to version 1.2.5.

**Name of the Vulnerable Software and Affected Versions** Coder/code-marketplace versions through 2.4.1 **Description** A Zip Slip vulnerability allows a malicious VSIX file to write arbitrary files outside the extension directory. The `ExtractZip` function passes raw zip entry names to a callback that writes files using `filepath.Join` without a boundary check. `filepath.Join` resolves '..' components but does not prevent the result from escaping the base path. An authenticated user can submit a VSIX containing path-traversal entries, potentially leading to persistence, SSH key injection, or binary overwrite depending on process privileges. **Recommendations** Update to version 2.4.2 or later.