Plattform
go
Komponente
github.com/argoproj/argo-workflows
Behoben in
3.0.1
3.0.1
2.5.4
3.7.5
CVE-2025-66626 describes a Remote Code Execution (RCE) vulnerability within argoproj/argo-workflows, a workflow engine for Kubernetes. This flaw stems from improper handling of zip archives, specifically leveraging ZipSlip and symbolic links to achieve code execution. Affected versions are those prior to 3.7.5; upgrading to this version resolves the issue.
The vulnerability allows an attacker to execute arbitrary code on the system running Argo Workflows. This is achieved by crafting a malicious zip archive containing symbolic links or specially crafted file paths that, when extracted by Argo Workflows, overwrite critical system files or execute malicious payloads. The potential impact is severe, including complete system compromise, data exfiltration, and denial of service. Successful exploitation could grant an attacker full control over the Kubernetes cluster where Argo Workflows is deployed, enabling them to move laterally and compromise other resources.
CVE-2025-66626 was publicly disclosed on 2025-12-15. The vulnerability exhibits similarities to other ZipSlip vulnerabilities, which have been actively exploited in the past. The EPSS score is currently pending evaluation, but the RCE nature of the vulnerability suggests a potential for medium to high exploitation probability. No public proof-of-concept exploits are currently known, but the ease of exploitation makes it likely that one will emerge.
Organizations deploying Argo Workflows in Kubernetes environments, particularly those processing untrusted zip files as part of their workflows, are at significant risk. Shared Kubernetes clusters where multiple teams or applications share resources are also at increased risk, as a compromised Argo Workflows instance could potentially impact other workloads.
• go: Monitor Argo Workflows logs for unusual file extraction patterns or errors related to zip file processing.
Get-WinEvent -LogName Application -Filter "EventID = 1000 -Message *= 'Argo Workflows' -Message *= 'zip extraction error'"• linux / server: Examine system logs (journalctl) for suspicious file creation or modification events within the Argo Workflows deployment directory.
journalctl -u argoworkflows -g 'zip extraction' --since "1h"• generic web: Inspect Argo Workflows API endpoints for unexpected file uploads or processing requests. Use curl to test for potential vulnerabilities.
curl -X POST -F '[email protected]' <argo_workflows_api_endpoint>disclosure
Exploit-Status
EPSS
0.09% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Argo Workflows to version 3.7.5 or later. If an immediate upgrade is not feasible, consider implementing strict input validation on zip archives processed by Argo Workflows to prevent the inclusion of symbolic links or unexpected file paths. WAF rules can be configured to block requests containing suspicious zip archive content. Monitor Argo Workflows logs for unusual file extraction activity or unexpected process execution. After upgrading, verify the fix by attempting to extract a known malicious zip archive (in a controlled environment) and confirming that it fails to execute arbitrary code.
Actualice Argo Workflows a la versión 3.6.14 o superior, o a la versión 3.7.5 o superior. Esto corrige la vulnerabilidad ZipSlip y de enlaces simbólicos que permite la ejecución remota de código. La actualización previene que un atacante sobrescriba archivos críticos y ejecute scripts maliciosos en su entorno de Kubernetes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66626 is a Remote Code Execution vulnerability in Argo Workflows versions before 3.7.5, allowing attackers to execute arbitrary code through crafted zip files.
You are affected if you are using Argo Workflows versions prior to 3.7.5 and processing untrusted zip files.
Upgrade Argo Workflows to version 3.7.5 or later. Implement input validation and restrict file system access as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability is publicly known and the underlying ZipSlip technique is well-understood, increasing the risk of exploitation.
Refer to the Argo Workflows security advisory on the Argo Projects website for detailed information and updates: [https://argoproj.github.io/workflows/security/](https://argoproj.github.io/workflows/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.