Argo Workflows exposes artifact repository credentials in workflow-controller logs
CVE-2025-62157

8.5HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
14 October 2025

What is CVE-2025-62157?

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.

Affected Version(s)

argo-workflows >= 3.7.0, < 3.7.3 < 3.7.0, 3.7.3

argo-workflows < 3.6.12 < 3.6.12

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/18ad513...
x_refsource_MISC
https://github.com/argoproj/argo-workflows/commit/bded09f...
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62157 : Artifact Repository Credentials Exposure in Argo Workflows by Argo Project