CVE-2025-66626

Dec. 19, 2025, 7:14 p.m.

8.1
High

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Product(s) Impacted

Vendor Product Versions
Argoproj
  • Argo Workflows
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-59
Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a argoproj argo_workflows / / / / / go / /
a argoproj argo_workflows / / / / / go / /

References

https://github.com/advisories/GHSA-p84v-gxvw-73pf
https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037
https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh
https://github.com/advisories/GHSA-p84v-gxvw-73pf
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh

Tags

security-advisories@github.com
CWE-59
CWE-23
2025-12-09
CVE-2025-66626

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

    View Vector String

Timeline

Published: Dec. 9, 2025, 9:16 p.m.
Last Modified: Dec. 19, 2025, 7:14 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.