{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T02:55:14.845","vulnerabilities":[{"cve":{"id":"CVE-2026-25140","sourceIdentifier":"security-advisories@github.com","published":"2026-02-04T19:16:15.117","lastModified":"2026-02-20T21:31:56.623","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1."},{"lang":"es","value":"apko permite a los usuarios construir y publicar imágenes de contenedor OCI construidas a partir de paquetes apk. Desde la versión 0.14.8 hasta antes de la 1.1.1, un atacante que controle o comprometa un repositorio APK utilizado por apko podría causar el agotamiento de recursos en el host de compilación. La función ExpandApk en pkg/apk/expandapk/expandapk.go expande flujos .apk sin aplicar límites de descompresión, permitiendo que un repositorio malicioso sirva un .apk pequeño y altamente comprimido que se infla en un gran flujo tar, consumiendo espacio en disco y tiempo de CPU excesivos, causando fallos de compilación o denegación de servicio. Este problema ha sido parcheado en la versión 1.1.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:chainguard:apko:*:*:*:*:*:go:*:*","versionStartIncluding":"0.14.8","versionEndExcluding":"1.1.1","matchCriteriaId":"D4999F65-41B1-42B5-8BFE-C5DD249E18F3"}]}]}],"references":[{"url":"https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}