CVE-2026-25122

Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.0.9

Description apko is a tool for building and publishing OCI container images from apk packages. A flaw exists in the expandapk.Split function where it drains the first gzip stream of an APK archive without explicit bounds. An attacker-controlled input stream can cause excessive gzip inflation, leading to resource exhaustion and potentially impacting availability. The Split function reads the first tar header and then drains the remaining gzip stream without limits on uncompressed byte size or inflation ratio. Parsing attacker-controlled APK streams may result in high CPU usage during gzip inflation, potentially causing timeouts or process slowdowns.

Recommendations Update to version 1.1.0 or later.