Plattform
go
Komponente
github.com/argoproj/argo-workflows
Behoben in
3.6.13
3.7.1
3.6.12
CVE-2025-62156 identifies a Zipslip vulnerability within Argo Workflows, specifically in the github.com/argoproj/argo-workflows component. A Zipslip vulnerability allows attackers to manipulate archive extraction processes to access files outside the intended extraction directory. This flaw affects versions of Argo Workflows before 3.6.12 and can lead to unauthorized file access. A fix has been released in version 3.6.12.
The Zipslip vulnerability in Argo Workflows allows an attacker to craft a malicious archive that, when extracted by Argo Workflows, can write files to arbitrary locations on the server. This is achieved by manipulating the paths within the archive to include directory traversal sequences (e.g., ../../). Successful exploitation could lead to the attacker gaining control over sensitive files, potentially including configuration files, credentials, or even executable code. The blast radius extends to any system where Argo Workflows is deployed and processes user-supplied archives. While no direct precedent exists for this specific Argo Workflows vulnerability, Zipslip vulnerabilities in other contexts, such as unzip utilities, have been exploited to achieve remote code execution and system compromise.
CVE-2025-62156 was publicly disclosed on 2025-11-05. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of this writing, but the nature of Zipslip vulnerabilities makes it likely that a PoC will emerge. Monitor security advisories and vulnerability databases for updates. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying Argo Workflows in production environments, particularly those handling sensitive data or integrating with other critical systems, are at risk. Environments with older, unpatched versions of Argo Workflows are especially vulnerable. Shared hosting environments where multiple users have access to file upload functionalities also face increased risk.
• go / server:
find /opt/argoworkflows -type f -name '*.zip' -print0 | xargs -0 grep -i '\.\.\\'• generic web:
curl -I <argo_workflows_url>/path/to/zip/extraction | grep 'Content-Type:'disclosure
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62156 is to upgrade Argo Workflows to version 3.6.12 or later. This version includes a fix that prevents the Zipslip vulnerability. If upgrading immediately is not feasible, consider implementing input validation on archive contents to restrict the paths that can be extracted. This could involve whitelisting allowed file extensions and validating that extracted paths remain within a designated directory. Web application firewalls (WAFs) configured to detect and block malicious path traversal attempts could also provide a temporary layer of defense. After upgrading, confirm the fix by attempting to extract a specially crafted archive containing directory traversal sequences and verifying that the extraction fails with an appropriate error message.
Actualice argo-workflows a la versión 3.6.12 o superior, o a la versión 3.7.3 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos y la sobreescritura de la configuración del contenedor. La actualización previene la posible escalada de privilegios y la persistencia dentro del contenedor afectado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62156 is a high-severity Zipslip vulnerability affecting Argo Workflows versions prior to 3.6.12. It allows attackers to potentially extract arbitrary files from the server.
You are affected if you are running Argo Workflows versions earlier than 3.6.12. Check your current version and upgrade immediately if vulnerable.
Upgrade Argo Workflows to version 3.6.12 or later. Implement temporary workarounds like restricting file uploads if an immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Argo Workflows security advisories on the Argo Projects website for detailed information and updates: [https://argoproj.github.io/workflows/security/](https://argoproj.github.io/workflows/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.