CVE-2026-25140 Overview
A resource exhaustion vulnerability exists in apko, a tool that allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko can cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service.
Critical Impact
Attackers controlling a malicious APK repository can exploit this vulnerability to exhaust system resources on build hosts, leading to denial of service conditions and build infrastructure disruption.
Affected Products
- apko versions 0.14.8 through 1.1.0
- OCI container image build environments using vulnerable apko versions
- CI/CD pipelines relying on apko for container image builds
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-25140 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25140
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The core issue lies in the ExpandApk function within pkg/apk/expandapk/expandapk.go, which processes incoming .apk package streams without implementing proper decompression limits. When apko fetches packages from an APK repository, it trusts the compressed data and expands it without validating the expansion ratio or setting maximum output size constraints.
An attacker who controls or has compromised an APK repository can craft a specially constructed .apk file using compression techniques that achieve extremely high compression ratios. These "zip bomb" style attacks can produce archives that are only a few kilobytes in compressed form but expand to gigabytes or even terabytes when decompressed.
Root Cause
The root cause is the absence of limit readers when consuming data from external sources. The ExpandApk function directly decompresses incoming streams without enforcing size constraints on the decompressed output. This allows unbounded resource consumption during the expansion process.
Attack Vector
The attack requires an adversary to either control an APK repository configured in apko or compromise an existing trusted repository. Once in position, the attacker serves a malicious .apk package designed with high compression ratios. When a build process fetches and attempts to expand this package, the decompression consumes excessive disk space and CPU time, resulting in denial of service conditions on the build host.
// Security patch adding limit readers for external data sources
// Source: https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09
"chainguard.dev/apko/pkg/build"
"chainguard.dev/apko/pkg/build/types"
"chainguard.dev/apko/pkg/cpio"
+ "chainguard.dev/apko/pkg/options"
)
func buildCPIO() *cobra.Command {
The patch introduces the options package which provides limit readers to constrain the amount of data consumed from external sources, preventing unbounded decompression attacks.
Detection Methods for CVE-2026-25140
Indicators of Compromise
- Abnormally large disk space consumption during container image builds
- Extended CPU utilization during APK package expansion operations
- Build process timeouts or failures with out-of-memory or disk space errors
- Unusual network traffic patterns to untrusted or recently modified APK repositories
Detection Strategies
- Monitor build host resource utilization for sudden spikes in disk I/O and CPU usage during apko operations
- Implement file system quotas and alerts for build directories exceeding expected size thresholds
- Track and audit APK repository sources configured in apko build configurations
- Review build logs for expansion operations that exceed normal duration or resource patterns
Monitoring Recommendations
- Configure resource monitoring and alerting on container build infrastructure
- Implement network-level monitoring for connections to APK repositories
- Set up automated checks to verify apko version compliance across build environments
- Establish baseline metrics for normal build resource consumption to detect anomalies
How to Mitigate CVE-2026-25140
Immediate Actions Required
- Upgrade apko to version 1.1.1 or later immediately
- Audit all APK repository sources for trustworthiness and integrity
- Implement resource limits (disk quotas, memory limits) on build hosts as defense-in-depth
- Review recent builds for signs of resource exhaustion attacks
Patch Information
This vulnerability has been patched in apko version 1.1.1. The fix introduces limit readers for all readers that consume data from external sources, preventing unbounded decompression. For detailed patch information, refer to the GitHub Commit Details and GitHub Security Advisory GHSA-f4w5-5xv9-85f6.
Workarounds
- Restrict APK repository sources to only trusted, verified repositories
- Implement container or VM-based isolation for build processes to limit blast radius
- Configure disk quotas and resource limits on build hosts to prevent complete resource exhaustion
- Monitor and rate-limit APK downloads during build operations
# Configuration example - Upgrade apko to patched version
# Using go install
go install chainguard.dev/apko@v1.1.1
# Verify installed version
apko version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
