Security: chainguard-dev/apko
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
downloaded apk packages are not verified against APKINDEX checksum (package substitution possible)GHSA-hcwr-pq9g-rq3m published
Apr 23, 2026 by antitreeHigh -
Symlink-following path traversal in apko dirFS allows multiple entry points to escape the build rootGHSA-qq3r-w4hj-gjp6 published
Apr 23, 2026 by antitreeHigh -
panic on non-rsa jwks key in apko `DiscoverKeys` causes crash during key discoveryGHSA-m7hm-vm4x-28jf published
Apr 23, 2026 by antitreeModerate -
unbounded resource consumption in expandapk.Split on attacker-controlled .apk streamsGHSA-6p9p-q6wh-9j89 published
Feb 3, 2026 by antitreeModerate -
potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streamsGHSA-f4w5-5xv9-85f6 published
Feb 3, 2026 by antitreeHigh -
Path traversal in apko dirFS allows filesystem writes outside baseGHSA-5g94-c2wx-8pxw published
Feb 3, 2026 by antitreeHigh -
Incorrect permission (0666) in /etc/ld.so.cacheGHSA-x6ph-r535-3vjw published
Jul 18, 2025 by eslermHigh -
Exposure of HTTP basic auth credentials in log outputGHSA-v6mg-7f7p-qmqp published
Jun 3, 2024 by imjasonhHigh