x/vulndb: potential Go vuln in chainguard.dev/apko: GHSA-x6ph-r535-3vjw #3816
Description
Advisory GHSA-x6ph-r535-3vjw references a vulnerability in the following Go modules:
| Module |
|---|
| chainguard.dev/apko |
Description:
It was discovered that the ld.so.cache in images generated by apko had file system permissions mode 0666:
bash-5.3# find / -type f -perm -o+w
/etc/ld.so.cache
This issue was introduced in commit 04f37e2 ("generate /etc/ld.so.cache (#1629)")(v0.27.0).
Impact
This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this...
References:
- ADVISORY: GHSA-x6ph-r535-3vjw
- ADVISORY: GHSA-x6ph-r535-3vjw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-53945
- FIX: chainguard-dev/apko@04f37e2
- FIX: chainguard-dev/apko@aedb077
- WEB: https://github.com/chainguard-dev/apko/releases/tag/v0.29.5
Cross references:
- chainguard.dev/apko appears in 1 other report(s):
- data/reports/GO-2024-2899.yaml (x/vulndb: potential Go vuln in github.com/chainguard-dev/apko: CVE-2024-36127 #2899)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: chainguard.dev/apko
versions:
- introduced: 0.27.0
- fixed: 0.29.5
vulnerable_at: 0.29.4
summary: |-
apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache
and other files in chainguard.dev/apko
cves:
- CVE-2025-53945
ghsas:
- GHSA-x6ph-r535-3vjw
references:
- advisory: https://github.com/advisories/GHSA-x6ph-r535-3vjw
- advisory: https://github.com/chainguard-dev/apko/security/advisories/GHSA-x6ph-r535-3vjw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-53945
- fix: https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9
- fix: https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3
- web: https://github.com/chainguard-dev/apko/releases/tag/v0.29.5
source:
id: GHSA-x6ph-r535-3vjw
created: 2025-07-18T21:01:22.216414141Z
review_status: UNREVIEWED