← Voltar para CVEs
CVE-2026-25140
HIGH7.5
Descricao
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1.
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado2/4/2026
Ultima modificacao2/20/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
chainguard:apko
Fraquezas (CWE)
CWE-400CWE-770
Referencias
https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09(security-advisories@github.com)
https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.