Platform
go
Component
github.com/argoproj/argo-workflows
Fixed in
3.6.13
3.7.1
3.6.12
CVE-2025-62156 identifies a Zipslip vulnerability within Argo Workflows, specifically in the github.com/argoproj/argo-workflows component. This flaw allows attackers to potentially extract arbitrary files from the server, leading to data exposure and potential system compromise. The vulnerability impacts versions of Argo Workflows released before 3.6.12, and a patch is available in version 3.6.12.
The Zipslip vulnerability arises from insufficient validation of file paths when extracting files from ZIP archives. An attacker can craft a malicious ZIP file containing specially crafted filenames that, when extracted, lead to the extraction of files outside the intended directory. This could allow an attacker to read sensitive configuration files, source code, or other critical data stored on the server. The potential impact extends beyond simple data exposure; depending on the server's configuration and the files accessible, an attacker could potentially gain remote code execution capabilities, effectively compromising the entire system. This vulnerability shares similarities with other Zipslip exploits where path traversal vulnerabilities are leveraged to access unauthorized files.
CVE-2025-62156 was publicly disclosed on 2025-11-05. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) exploits have been publicly released at the time of writing, but the nature of Zipslip vulnerabilities makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62156 is to upgrade Argo Workflows to version 3.6.12 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting the types of files that can be uploaded and processed by Argo Workflows. Implement strict input validation on all file paths used during ZIP extraction. Consider using a Web Application Firewall (WAF) with rules to detect and block malicious ZIP files containing path traversal attempts. Monitor Argo Workflows logs for suspicious file extraction activity.
Actualice argo-workflows a la versión 3.6.12 o superior, o a la versión 3.7.3 o superior. Esto corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos y la sobreescritura de la configuración del contenedor. La actualización previene la posible escalada de privilegios y la persistencia dentro del contenedor afectado.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62156 is a high-severity Zipslip vulnerability affecting Argo Workflows versions prior to 3.6.12. It allows attackers to potentially extract arbitrary files from the server.
You are affected if you are running Argo Workflows versions earlier than 3.6.12. Check your current version and upgrade immediately if vulnerable.
Upgrade Argo Workflows to version 3.6.12 or later. Implement temporary workarounds like restricting file uploads if an immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests potential for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Argo Workflows security advisories on the Argo Projects website for detailed information and updates: [https://argoproj.github.io/workflows/security/](https://argoproj.github.io/workflows/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.