CVE-2025-62157
BaseFortify
Publication date: 2025-10-14
Last updated on: 2026-02-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argo_workflows_project | argo_workflows | to 3.6.12 (exc) |
| argo_workflows_project | argo_workflows | From 3.7.0 (inc) to 3.7.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker with pod log read permissions to steal, modify, or delete artifacts stored in the artifact repository. This can lead to data exfiltration, data tampering, or data destruction, potentially causing loss of critical data or failures in workflow pipelines that depend on these artifacts. [3]
Can you explain this vulnerability to me?
CVE-2025-62157 is a vulnerability in Argo Workflows where artifact repository credentials are exposed in plaintext within the workflow-controller pod logs. An attacker who has permission to read these pod logs in the namespace running Argo Workflows can obtain these credentials and gain unauthorized access to the artifact repository. This vulnerability affects versions prior to 3.6.12 and versions 3.7.0 through 3.7.2. It is caused by insufficient protection of credentials, allowing sensitive authentication information to be retrieved from logs. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The exposure of plaintext credentials and potential unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Organizations using affected versions of Argo Workflows may face compliance risks if this vulnerability is exploited, as it compromises confidentiality and integrity of stored artifacts. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the workflow-controller pod logs in the namespace running Argo Workflows for plaintext artifact repository credentials. Since the vulnerability involves exposure of credentials in pod logs, you can inspect these logs using Kubernetes commands such as: kubectl logs <workflow-controller-pod-name> -n <namespace>. Look specifically for any plaintext credentials related to the artifact repository. Detection requires permissions to read pod logs in the affected namespace. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Argo Workflows to version 3.6.12 or 3.7.3 or later, as these versions contain the patch that removes plaintext artifact repository credentials from workflow-controller pod logs. No known workarounds exist, so upgrading is the recommended action to remediate the vulnerability. [3]