平台
go
组件
github.com/argoproj/argo-workflows
修复版本
3.0.1
3.0.1
2.5.4
3.7.5
CVE-2025-66626 describes a Remote Code Execution (RCE) vulnerability discovered in Argo Workflows, a workflow engine for Kubernetes. This vulnerability arises from improper handling of zip file extraction, specifically leveraging ZipSlip and symbolic links to achieve code execution. Affected versions are those prior to 3.7.5; upgrading to this version resolves the issue.
The vulnerability allows an attacker to execute arbitrary code on the system running Argo Workflows. This can occur if an attacker can provide a crafted zip archive as input to the workflow engine. The ZipSlip vulnerability, combined with symbolic link traversal, enables the attacker to extract files to unexpected locations, potentially overwriting critical system files or executing malicious payloads. The blast radius extends to any system where Argo Workflows is deployed and processing untrusted zip files, potentially leading to complete system compromise and data exfiltration.
The vulnerability is publicly disclosed and has a HIGH CVSS score. While no public proof-of-concept (PoC) has been widely reported, the ZipSlip vulnerability is well-understood and has been exploited in other contexts, suggesting a potential for exploitation. The vulnerability was published on 2025-12-15. Its inclusion in the KEV catalog is pending.
Organizations deploying Argo Workflows in Kubernetes environments, particularly those processing untrusted zip files as part of their workflows, are at significant risk. Shared Kubernetes clusters where multiple teams or applications share resources are also at increased risk, as a compromised Argo Workflows instance could potentially impact other workloads.
• go: Monitor Argo Workflows logs for unusual file extraction patterns or errors related to zip file processing.
Get-WinEvent -LogName Application -Filter "EventID = 1000 -Message *= 'Argo Workflows' -Message *= 'zip extraction error'"• linux / server: Examine system logs (journalctl) for suspicious file creation or modification events within the Argo Workflows deployment directory.
journalctl -u argoworkflows -g 'zip extraction' --since "1h"• generic web: Inspect Argo Workflows API endpoints for unexpected file uploads or processing requests. Use curl to test for potential vulnerabilities.
curl -X POST -F '[email protected]' <argo_workflows_api_endpoint>disclosure
漏洞利用状态
EPSS
0.09% (26% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade Argo Workflows to version 3.7.5 or later, which includes a fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing input validation to restrict the types of files accepted by Argo Workflows. Additionally, restrict file system access for the Argo Workflows process to minimize the impact of a successful exploit. Implement a WAF rule to block requests containing suspicious zip file extensions or patterns. After upgrade, confirm by attempting to process a known malicious zip file (in a safe, isolated environment) and verifying that it is handled securely.
Actualice Argo Workflows a la versión 3.6.14 o superior, o a la versión 3.7.5 o superior. Esto corrige la vulnerabilidad ZipSlip y de enlaces simbólicos que permite la ejecución remota de código. La actualización previene que un atacante sobrescriba archivos críticos y ejecute scripts maliciosos en su entorno de Kubernetes.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-66626 is a Remote Code Execution vulnerability in Argo Workflows versions before 3.7.5, allowing attackers to execute arbitrary code through crafted zip files.
You are affected if you are using Argo Workflows versions prior to 3.7.5 and processing untrusted zip files.
Upgrade Argo Workflows to version 3.7.5 or later. Implement input validation and restrict file system access as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability is publicly known and the underlying ZipSlip technique is well-understood, increasing the risk of exploitation.
Refer to the Argo Workflows security advisory on the Argo Projects website for detailed information and updates: [https://argoproj.github.io/workflows/security/](https://argoproj.github.io/workflows/security/)
上传你的 go.mod 文件,立即知道是否受影响。