CVE-2025-66626

Dec. 9, 2025, 9:16 p.m.

8.1
High

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Product(s) Impacted

Vendor Product Versions
Argo
  • Argo Workflows
  • 3.6.13, 3.7.0-3.7.4, 3.6.14, 3.7.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a argo argo_workflows 3.6.13 / / / / / / /
a argo argo_workflows 3.7.0-3.7.4 / / / / / / /
a argo argo_workflows 3.6.14 / / / / / / /
a argo argo_workflows 3.7.5 / / / / / / /

References

https://github.com/advisories/GHSA-p84v-gxvw-73pf
https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037
https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh

Tags

security-advisories@github.com
CWE-23
2025-12-09
CVE-2025-66626

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

    View Vector String

Timeline

Published: Dec. 9, 2025, 9:16 p.m.
Last Modified: Dec. 9, 2025, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.