CVE-2026-25140

Name of the Vulnerable Software and Affected Versions apko versions 0.14.8 through 1.1.0

Description apko is a tool that enables users to build and publish OCI container images from apk packages. A flaw exists where a malicious or compromised APK repository can lead to resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go does not limit decompression, allowing a small, highly compressed .apk file to expand into a large tar stream, potentially causing build failures or a denial of service.

Recommendations Update to version 1.1.1 or later.