CVE-2025-62156: Zipslip in Argo Workflows
Platform
go
Component
github.com/argoproj/argo-workflows
Fixed in
3.6.13
3.7.1
3.6.12
CVE-2025-62156 identifies a Zipslip vulnerability within Argo Workflows, specifically in the github.com/argoproj/argo-workflows component. This flaw allows attackers to potentially extract arbitrary files from the server, leading to data exposure and potential system compromise. The vulnerability impacts versions of Argo Workflows released before 3.6.12, and a patch is available in version 3.6.12.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The Zipslip vulnerability arises from insufficient validation of file paths when extracting files from ZIP archives. An attacker can craft a malicious ZIP file containing specially crafted filenames that, when extracted, lead to the extraction of files outside the intended directory. This could allow an attacker to read sensitive configuration files, source code, or other critical data stored on the server. The potential impact extends beyond simple data exposure; depending on the server's configuration and the files accessible, an attacker could potentially gain remote code execution capabilities, effectively compromising the entire system. This vulnerability shares similarities with other Zipslip exploits where path traversal vulnerabilities are leveraged to access unauthorized files.
Exploitation Context
CVE-2025-62156 was publicly disclosed on 2025-11-05. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) exploits have been publicly released at the time of writing, but the nature of Zipslip vulnerabilities makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-62156 is to upgrade Argo Workflows to version 3.6.12 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting the types of files that can be uploaded and processed by Argo Workflows. Implement strict input validation on all file paths used during ZIP extraction. Consider using a Web Application Firewall (WAF) with rules to detect and block malicious ZIP files containing path traversal attempts. Monitor Argo Workflows logs for suspicious file extraction activity.
How to fix
Actualice argo-workflows a la versión 3.6.12 o superior, o a la versión 3.7.3 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos y la sobreescritura de la configuración del contenedor. La actualización previene la posible escalada de privilegios y la persistencia dentro del contenedor afectado.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-62156 — Zipslip in Argo Workflows?
CVE-2025-62156 is a high-severity Zipslip vulnerability affecting Argo Workflows versions prior to 3.6.12. It allows attackers to potentially extract arbitrary files from the server.
Am I affected by CVE-2025-62156 in Argo Workflows?
You are affected if you are running Argo Workflows versions earlier than 3.6.12. Check your current version and upgrade immediately if vulnerable.
How do I fix CVE-2025-62156 in Argo Workflows?
Upgrade Argo Workflows to version 3.6.12 or later. Implement temporary workarounds like restricting file uploads if an immediate upgrade is not possible.
Is CVE-2025-62156 being actively exploited?
While no public exploits are currently known, the vulnerability's nature suggests potential for exploitation. Monitor security advisories and threat intelligence feeds.
Where can I find the official Argo Workflows advisory for CVE-2025-62156?
Refer to the official Argo Workflows security advisories on the Argo Projects website for detailed information and updates: [https://argoproj.github.io/workflows/security/](https://argoproj.github.io/workflows/security/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.