CVE-2025-62156
BaseFortify
Publication date: 2025-10-14
Last updated on: 2026-02-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argo_workflows_project | argo_workflows | to 3.6.12 (exc) |
| argo_workflows_project | argo_workflows | From 3.7.0 (inc) to 3.7.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Zip Slip path traversal issue in Argo Workflows versions prior to 3.6.12 and 3.7.0 through 3.7.2. During artifact extraction, the software uses filepath.Join with filepath.Clean on archive entry names without properly validating that the paths remain within the intended extraction directory. A malicious archive can include path traversal sequences or absolute paths that cause files to be written outside the intended directory (e.g., /work/tmp) and into sensitive system directories like /etc inside the container. This allows an attacker to create or overwrite arbitrary files in system configuration locations, potentially leading to privilege escalation or persistence within the container. [4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write or overwrite arbitrary files in critical system directories inside the container, such as /etc/passwd, /etc/hosts, or /etc/crontab. This can lead to privilege escalation, unauthorized persistence, or disruption of container operations. Because the affected directories are volume-mounted and mirrored to the main container, the attacker can manipulate system configuration files, potentially compromising the container's integrity and availability. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious archive files containing path traversal entries (e.g., entries with '..' or absolute paths) being extracted by Argo Workflows. One can inspect the extracted files in the container's /etc directory for unexpected or unauthorized changes. Additionally, monitoring logs for artifact extraction activities and scanning tar.gz files for suspicious paths before extraction can help detect exploitation attempts. Specific commands might include: 1) Listing recently modified files in /etc inside the container: `find /etc -type f -mtime -1` 2) Inspecting tar.gz files for path traversal entries: `tar -tzf suspicious-archive.tar.gz | grep '\.\./'` or `tar -tzf suspicious-archive.tar.gz | grep '^/'` 3) Checking running Argo Workflows versions to identify vulnerable versions: `argo version` or inspecting the deployed container image tags. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Argo Workflows to a patched version that fixes the vulnerability, specifically version 3.6.12 or 3.7.3 or later. Until the update can be applied, restrict the ability to upload and extract untrusted artifact archives, and monitor artifact extraction paths for suspicious activity. Applying strict validation on artifact contents before extraction and limiting container permissions to reduce the impact of potential exploitation are also recommended. [4]