CVE-2026-42574

Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.2.4

Description A crafted .apk file can install a TypeSymlink tar entry with a target pointing outside the build root. Subsequent directory-creation or file-write entries in the same or later archive can traverse this symlink to access host paths that the build user has permission to write to. The issue stems from the sanitizePath helper in pkg/apk/fs/rwosfs.go, which only rejected lexical .. traversal and failed to resolve or refuse symlinks. This affects disk-backed DirFS methods that pass caller-supplied paths to symlink-following standard library calls, including ReadFile(), WriteFile(), Chmod(), Chown(), Chtimes(), MkdirAll(), Mkdir(), and Mknod(). The primary reachable primitive during tar extraction is the MkdirAll() / Mkdir() / WriteFile() chain via apko build-cpio and disk-backed consumers like melange.

Recommendations Update to version 1.2.5.