GHSA-x6ph-r535-3vjw

Source

https://github.com/advisories/GHSA-x6ph-r535-3vjw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x6ph-r535-3vjw/GHSA-x6ph-r535-3vjw.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x6ph-r535-3vjw

Aliases

CVE-2025-53945

Published

2025-07-18T20:03:25Z

Modified

2025-07-18T20:42:20.154627Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator

Summary

apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files

Details

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode 0666:

bash-5.3# find / -type f -perm -o+w
/etc/ld.so.cache

This issue was introduced in commit 04f37e2 ("generate /etc/ld.so.cache (#1629)")(v0.27.0).

Impact

This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control.

Patches

This issue was addressed in apko in aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)") (v0.29.5).

Acknowledgements

Many thanks to Cody Harris from H2O.ai for reporting this issue.

Database specific

{
    "severity": "HIGH",
    "nvd_published_at": "2025-07-18T16:15:30Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-18T20:03:25Z",
    "cwe_ids": [
        "CWE-276"
    ]
}

References

Affected packages

Go / chainguard.dev/apko

Package

Name: chainguard.dev/apko; View open source insights on deps.dev
Purl: pkg:golang/chainguard.dev/apko

Affected ranges

Type: SEMVER
Events: Introduced

0.27.0

Fixed

0.29.5