CVE-2025-53945 – chainguard.dev/apko

Package

Manager: go
Name: chainguard.dev/apko
Vulnerable Version: >=0.27.0 <0.29.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

EPSS: 0.00015 pctl0.02258

Details

apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`: ``` bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache ``` This issue was introduced in commit [04f37e2 ("generate /etc/ld.so.cache (#1629)")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)). ### Impact This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control. ### Patches This issue was addressed in apko in [aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)). ### Acknowledgements Many thanks to Cody Harris from [H2O.ai](http://h2o.ai/) for reporting this issue.

Metadata

Created: 2025-07-18T20:03:25Z
Modified: 2025-07-18T20:03:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x6ph-r535-3vjw/GHSA-x6ph-r535-3vjw.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-x6ph-r535-3vjw
Finding: F159
Auto approve: 1