EXECUTIVE SUMMARY:
Multiple vulnerabilities were identified in the apko tool APK handling functions that could lead to significant availability and integrity impacts if exploited. The first issue is an uncontrolled resource consumption vulnerability where an attacker-controlled APK stream fed into the ExpandApk function can trigger unbounded inflation of compressed data, exhausting system resources and causing process slowdowns or denial of service. A second vulnerability involves path traversal in the dirFS filesystem abstraction, allowing crafted APK content to write files or create directories outside the intended base path, potentially leading to unauthorized file system modifications. A third condition affects the Split function in the same APK processing workflow, enabling resource exhaustion through poorly bounded gzip stream handling, which again may degrade or halt the affected processs availability. These issues underline deficient input validation and resource controls in the APK parsing logic that could be abused by attackers leveraging malicious package sources or compromised repositories.
- CVE-2026-25140: It is an uncontrolled resource consumption vulnerability in the apko ExpandApk function, where a crafted APK can inflate into excessively large data during extraction. An attacker supplying a malicious APK can exhaust CPU, memory, or disk resources, leading to denial-of-service conditions in build or processing environments. The vulnerability has a CVSS score of 7.5.
- CVE-2026-25121: It is a path traversal vulnerability in apko dirFS component where crafted APK contents can escape the intended directory during extraction. A malicious APK may create or modify files outside the expected filesystem path. This can lead to unauthorized file system changes and compromise the integrity of affected environments. The vulnerability has a CVSS score of 7.5.
- CVE-2026-25122: It is a resource exhaustion vulnerability in the expandapk.Split function of apko, where unbounded gzip decompression of an APK stream can force CPU and processing time. Processing crafted APK files can trigger excessive decompression workloads, potentially slowing or disrupting build processes. The issue stems from missing limits on uncompressed data size. The vulnerability has a CVSS score of 5.5.
RECOMMENDATION:
- We strongly recommend you update Apko to version 1.1.4 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-f4w5-5xv9-85f6
https://github.com/advisories/GHSA-5g94-c2wx-8pxw
https://github.com/advisories/GHSA-6p9p-q6wh-9j89
