CVE-2025-66626

A path traversal and arbitrary file overwrite vulnerability has been identified in Argo Workflows during the extraction of archived artifacts, where symbolic links inside a crafted archive are not safely validated before file extraction. An attacker could exploit this flaw by submitting a malicio...

CVE-2025-66626

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the...

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal in the untar process. An attacker can execute arbitrary code with elevated privileges by crafting a malicious archive containing symbolic links that overwrite critical files such as /var/run/argo/argoexec, which...

CVE-2025-66626 argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the...

CVE-2025-66626 argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the...

CVE-2025-66626

Argo Workflows CVE-2025-66626 affects the container-native workflow engine. Versions ≤3.6.13 and 3.7.0–3.7.4 contain unsafe untar code that mishandles symbolic links, allowing an attacker to overwrite /var/run/argo/argoexec with a script executed at pod startup. The patch for CVE-2025-62156 is in...

CVE-2025-66626 argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the...

EUVD-2025-202177

RCE via ZipSlip and symbolic links in argoproj/argo-workflows...

RCE via ZipSlip and symbolic links in argoproj/argo-workflows

Summary The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. Details The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed:...

GHSA-XRQC-7XGX-C9VH RCE via ZipSlip and symbolic links in argoproj/argo-workflows

Summary The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. Details The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed:...

PT-2025-50230

Name of the Vulnerable Software and Affected Versions Argo Workflows versions 3.6.13 and below Argo Workflows versions 3.7.0 through 3.7.4 Description Argo Workflows, a container-native workflow engine for Kubernetes, has an issue with unsafe untar code that improperly handles symbolic links with...

Argo Workflows 操作系统命令注入漏洞

Argo Workflows is an open source container-native workflow engine for Kubernetes from the Argo project. An operating system command injection vulnerability exists in Argo Workflows versions 3.6.13 and earlier and versions 3.7.0 through 3.7.4, which stems from improper handling of symbolic links a...

Docker-Exploit-Mapper

DEM — Docker Exploit Mapper Welcome to DEM, a fully con...

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE due to insufficient isolation in the Python Code Node that uses Pyodide. An authenticated attacker with permissions to create or modify workflows can execute arbitrary commands on the host system by creating or...

GHSA-PJ86-CFQH-VQX6 vulnerabilities

Vulnerabilities for packages: saf, sqlpad, tileserver-gl, thingsboard, argo-workflows, json-server...

CVE-2024-51999 vulnerabilities

Vulnerabilities for packages: saf, sqlpad, tileserver-gl, thingsboard, argo-workflows, json-server...

CVE-2024-51999 vulnerabilities

Vulnerabilities for packages: thingsboard, json-server, argo-workflows, redisinsight, tileserver-gl, librechat, saf, sqlpad...

GHSA-PJ86-CFQH-VQX6 vulnerabilities

Vulnerabilities for packages: thingsboard, json-server, argo-workflows, redisinsight, tileserver-gl, librechat, saf, sqlpad...

Chopping AI Down to Size: Turning Disruptive Technology into a Strategic Advantage

Most people know the story of Paul Bunyan. A giant lumberjack, a trusted axe, and a challenge from a machine that promised to outpace him. Paul doubled down on his old way of working, swung harder, and still lost by a quarter inch. His mistake was not losing the contest. His mistake was assuming...

Information Disclosure

github.com/argoproj/argo-workflows is vulnerable to Information Disclosure. The vulnerability is due to artifact repository credentials being logged in plaintext within the workflow-controller pod logs, which allows an attacker with permission to read pod logs to obtain these credentials and...