CVE-2025-66626
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-12

Assigner: GitHub, Inc.

Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-12-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66626
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
argo workflows 3.7.0
argo workflows 3.6.14
argo workflows 3.6.13
argo workflows 3.7.5
argo workflows 3.7.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Argo Workflows versions 3.6.13 and below and 3.7.0 through 3.7.4, where unsafe untar code improperly handles symbolic links in archives. Specifically, the computation of a symbolic link's target and the subsequent security check are flawed, allowing an attacker to overwrite the file /var/run/argo/argoexec with a malicious script. This script would then be executed when the pod starts. The patch for a previous CVE (CVE-2025-62156) does not fix this issue. The vulnerability is fixed in versions 3.6.14 and 3.7.5.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can overwrite a critical executable file with a malicious script that runs at pod startup. This can lead to unauthorized code execution within the Kubernetes environment, potentially compromising the integrity and availability of the system, and allowing the attacker to perform harmful actions such as privilege escalation or disruption of workflows.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Argo Workflows to version 3.6.14 or 3.7.5 or later, as these versions contain the fix for the unsafe untar code handling symbolic links. Avoid using vulnerable versions 3.6.13 and below or 3.7.0 through 3.7.4.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart