CVE-2025-53945

apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issue.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.1 / Impact : 5.3

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9
https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3
https://github.com/chainguard-dev/apko/releases/tag/v0.27.0
https://github.com/chainguard-dev/apko/releases/tag/v0.29.5
https://github.com/chainguard-dev/apko/security/advisories/GHSA-x6ph-r535-3vjw

Configurations

No configuration.

History

22 Jul 2025, 13:06

Type	Values Removed	Values Added
Summary		(es) apko permite a los usuarios crear y publicar imágenes de contenedores OCI a partir de paquetes APK. A partir de la versión 0.27.0 y anteriores a la 0.29.5, los archivos críticos se configuraban inadvertidamente como 0666, lo que podría utilizarse para escalar privilegios de root. La versión 0.29.5 incluye una solución para este problema.

18 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-18 16:15

Updated : 2025-07-22 13:06

NVD link : CVE-2025-53945

Mitre link : CVE-2025-53945

CVE.ORG link : CVE-2025-53945

JSON object : View

Products Affected

No product.

CWE

CWE-276

Incorrect Default Permissions

7.0 /10