Unsafe Untar Code in Argo Workflows Affects Kubernetes Deployment
CVE-2025-66626

8.1HIGH

Key Information:

Vendor

Argoproj

Status
Argo-workflows
Vendor
CVE Published:
9 December 2025

What is CVE-2025-66626?

Argo Workflows, a widely used open-source container-native workflow engine for Kubernetes, suffers from a vulnerability that affects versions 3.6.13 and earlier, as well as versions 3.7.0 to 3.7.4. This issue arises from flawed handling of symbolic links during the untar process, enabling an attacker to potentially overwrite critical files, such as /var/run/argo/argoexec, with malicious scripts. Upon pod startup, these scripts can execute, resulting in security breaches. Users are encouraged to upgrade to versions 3.6.14 or 3.7.5, where this vulnerability has been effectively addressed.

Affected Version(s)

argo-workflows github.com/argoproj/argo-workflows/v3 >= 3.7.0, < 3.7.5 < github.com/argoproj/argo-workflows/v3 3.7.0, 3.7.5

argo-workflows github.com/argoproj/argo-workflows/v3 < 3.6.14 < github.com/argoproj/argo-workflows/v3 3.6.14

argo-workflows github.com/argoproj/argo-workflows <= 2.5.3-rc4 <= github.com/argoproj/argo-workflows 2.5.3-rc4

References

https://github.com/argoproj/argo-workflows/security/advis...
x_refsource_CONFIRM
https://github.com/argoproj/argo-workflows/commit/6b92af2...
x_refsource_MISC
https://github.com/advisories/GHSA-p84v-gxvw-73pf
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.