CVE-2025-53945: 
Wolfi vulnerability analysis and mitigation

CVE-2025-53945 affects apko, a tool that allows users to build and publish OCI container images built from apk packages. The vulnerability was discovered in version 0.27.0 and fixed in version 0.29.5. The issue involves critical files being inadvertently set to 0666 permissions, which could potentially be exploited for root escalation (NVD, GitHub Advisory).

The vulnerability was introduced in commit 04f37e2 when implementing /etc/ld.so.cache generation functionality. The issue stems from the file being created with os.Create internally, which sets permissions to 0666 (read-write for all users). The CVSS v3.1 base score is 7.0 (High) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L, indicating local access required but high potential impact (GitHub Advisory).

The vulnerability allows local unprivileged users to add additional directories including dynamic libraries to the dynamic loader path. An attacker could exploit this by placing a malicious library in a directory they control, potentially leading to root escalation (GitHub Advisory).

The vulnerability was patched in version 0.29.5 with commit aedb077, which fixes the file permissions by changing them to 0644. Users should upgrade to version 0.29.5 or later to address this security issue (GitHub Advisory).

The vulnerability was responsibly disclosed by Cody Harris from H2O.ai, demonstrating active security research in the container image building ecosystem (GitHub Advisory).