CVE-2025-62156
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack/untar logic (workflow/executor/executor.go) uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name stays within the intended extraction directory. A malicious archive entry can supply a traversal or absolute path that, after cleaning, overrides the destination directory and causes files to be written outside the /work/tmp extraction path and into system directories such as /etc inside the container. The vulnerability enables arbitrary file creation or overwrite in system configuration locations (for example /etc/passwd, /etc/hosts, /etc/crontab), which can lead to privilege escalation or persistence within the affected container. Update to 3.6.12 or 3.7.3 to remediate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62156
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
argo_workflows_project argo_workflows to 3.6.12 (exc)
argo_workflows_project argo_workflows From 3.7.0 (inc) to 3.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Zip Slip path traversal issue in Argo Workflows versions prior to 3.6.12 and 3.7.0 through 3.7.2. During artifact extraction, the software uses filepath.Join with filepath.Clean on archive entry names without properly validating that the paths remain within the intended extraction directory. A malicious archive can include path traversal sequences or absolute paths that cause files to be written outside the intended directory (e.g., /work/tmp) and into sensitive system directories like /etc inside the container. This allows an attacker to create or overwrite arbitrary files in system configuration locations, potentially leading to privilege escalation or persistence within the container. [4]

Impact Analysis

This vulnerability can allow an attacker to write or overwrite arbitrary files in critical system directories inside the container, such as /etc/passwd, /etc/hosts, or /etc/crontab. This can lead to privilege escalation, unauthorized persistence, or disruption of container operations. Because the affected directories are volume-mounted and mirrored to the main container, the attacker can manipulate system configuration files, potentially compromising the container's integrity and availability. [4]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious archive files containing path traversal entries (e.g., entries with '..' or absolute paths) being extracted by Argo Workflows. One can inspect the extracted files in the container's /etc directory for unexpected or unauthorized changes. Additionally, monitoring logs for artifact extraction activities and scanning tar.gz files for suspicious paths before extraction can help detect exploitation attempts. Specific commands might include: 1) Listing recently modified files in /etc inside the container: `find /etc -type f -mtime -1` 2) Inspecting tar.gz files for path traversal entries: `tar -tzf suspicious-archive.tar.gz | grep '\.\./'` or `tar -tzf suspicious-archive.tar.gz | grep '^/'` 3) Checking running Argo Workflows versions to identify vulnerable versions: `argo version` or inspecting the deployed container image tags. [4]

Mitigation Strategies

The immediate mitigation step is to update Argo Workflows to a patched version that fixes the vulnerability, specifically version 3.6.12 or 3.7.3 or later. Until the update can be applied, restrict the ability to upload and extract untrusted artifact archives, and monitor artifact extraction paths for suspicious activity. Applying strict validation on artifact contents before extraction and limiting container permissions to reduce the impact of potential exploitation are also recommended. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart