BIT-argo-workflows-2025-62157
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/argo-workflows/BIT-argo-workflows-2025-62157.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-argo-workflows-2025-62157
- Aliases
- Published
- 2025-10-17T20:39:31.704Z
- Modified
- 2025-11-05T19:57:36.337118Z
- Summary
- Argo Workflows exposes artifact repository credentials in workflow-controller logs
- Details
-
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.
- Database specific
{ "cpes": [ "cpe:2.3:a:argo_workflows_project:argo_workflows:*:*:*:*:*:kubernetes:*:*" ], "severity": "High" }- References
-
- https://github.com/argoproj/argo-workflows/commit/18ad5138b6bcb2aba04e00b4ec657bc6b8fad8df
- https://github.com/argoproj/argo-workflows/commit/bded09fe4abd37cb98d7fc81b4c14a6f5034e9ab
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2r
- https://nvd.nist.gov/vuln/detail/CVE-2025-62157
Affected packages
Bitnami / argo-workflows
Package
- Name
- argo-workflows
- Purl
- pkg:bitnami/argo-workflows
Severity
- 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator