Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh
Patch x_refsource_misc
https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1
Not Applicable x_refsource_misc
https://github.com/advisories/GHSA-p84v-gxvw-73pf
Scores
CVSS v3
8.1
EPSS
0.0057
EPSS Percentile
42.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-23
CWE-59
Status
published
Products (3)
argoproj/argo-workflows
0Go
argoproj/argo-workflows
3.7.0 - 3.7.5Go
argoproj/argo_workflows
< 3.6.14
Published
Dec 09, 2025
Tracked Since
Feb 18, 2026