CVE-2025-62157
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2026-02-06

Assigner: GitHub, Inc.

Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62157
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
argo_workflows_project argo_workflows to 3.6.12 (exc)
argo_workflows_project argo_workflows From 3.7.0 (inc) to 3.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker with pod log read permissions to steal, modify, or delete artifacts stored in the artifact repository. This can lead to data exfiltration, data tampering, or data destruction, potentially causing loss of critical data or failures in workflow pipelines that depend on these artifacts. [3]

Executive Summary

CVE-2025-62157 is a vulnerability in Argo Workflows where artifact repository credentials are exposed in plaintext within the workflow-controller pod logs. An attacker who has permission to read these pod logs in the namespace running Argo Workflows can obtain these credentials and gain unauthorized access to the artifact repository. This vulnerability affects versions prior to 3.6.12 and versions 3.7.0 through 3.7.2. It is caused by insufficient protection of credentials, allowing sensitive authentication information to be retrieved from logs. [3]

Compliance Impact

The exposure of plaintext credentials and potential unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Organizations using affected versions of Argo Workflows may face compliance risks if this vulnerability is exploited, as it compromises confidentiality and integrity of stored artifacts. [3]

Detection Guidance

This vulnerability can be detected by checking the workflow-controller pod logs in the namespace running Argo Workflows for plaintext artifact repository credentials. Since the vulnerability involves exposure of credentials in pod logs, you can inspect these logs using Kubernetes commands such as: kubectl logs <workflow-controller-pod-name> -n <namespace>. Look specifically for any plaintext credentials related to the artifact repository. Detection requires permissions to read pod logs in the affected namespace. [3]

Mitigation Strategies

The immediate mitigation step is to update Argo Workflows to version 3.6.12 or 3.7.3 or later, as these versions contain the patch that removes plaintext artifact repository credentials from workflow-controller pod logs. No known workarounds exist, so upgrading is the recommended action to remediate the vulnerability. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart