CVE-2025-62157
MEDIUMArgo Workflows < 3.6.12 and 3.7.0-3.7.2 - Insufficiently Protected Credentials in Workflow-Controller Pod Logs
Title source: llmDescription
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2r
Patch x_refsource_misc
https://github.com/argoproj/argo-workflows/commit/18ad5138b6bcb2aba04e00b4ec657bc6b8fad8df
Scores
CVSS v3
6.5
EPSS
0.0044
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-522
Status
published
Products (2)
argoproj/argo-workflows
3.7.0 - 3.7.3Go
argoproj/argo_workflows
< 3.6.12
Published
Oct 14, 2025
Tracked Since
Feb 18, 2026