{"id":"GHSA-x6ph-r535-3vjw","summary":"apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files","details":"It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`:\n```\nbash-5.3# find / -type f -perm -o+w\n/etc/ld.so.cache\n```\n\nThis issue was introduced in commit [04f37e2 (\"generate /etc/ld.so.cache (#1629)\")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)).\n\n###  Impact\nThis potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control.\n\n### Patches\nThis issue was addressed in apko in [aedb077 (\"fix: /etc/ld.so.cache file permissions (#1758)\")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)).\n\n### Acknowledgements\n\nMany thanks to Cody Harris from [H2O.ai](http://h2o.ai/) for reporting this issue.","aliases":["CVE-2025-53945","GO-2025-3816"],"modified":"2026-02-04T03:05:16.224602Z","published":"2025-07-18T20:03:25Z","related":["CGA-3g3j-8396-2m48"],"database_specific":{"severity":"HIGH","nvd_published_at":"2025-07-18T16:15:30Z","github_reviewed":true,"cwe_ids":["CWE-276"],"github_reviewed_at":"2025-07-18T20:03:25Z"},"references":[{"type":"WEB","url":"https://github.com/chainguard-dev/apko/security/advisories/GHSA-x6ph-r535-3vjw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53945"},{"type":"WEB","url":"https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9"},{"type":"WEB","url":"https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3"},{"type":"PACKAGE","url":"https://github.com/chainguard-dev/apko"},{"type":"WEB","url":"https://github.com/chainguard-dev/apko/releases/tag/v0.29.5"}],"affected":[{"package":{"name":"chainguard.dev/apko","ecosystem":"Go","purl":"pkg:golang/chainguard.dev/apko"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.27.0"},{"fixed":"0.29.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x6ph-r535-3vjw/GHSA-x6ph-r535-3vjw.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L"}]}