CVE-2025-66626

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66626.json",
    "cwe_ids": [
        "CWE-23",
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/argoproj/argo-workflows

Affected ranges

Type: GIT
Repo: https://github.com/argoproj/argo-workflows
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6b92af23f35aed4d4de8b04adcaf19d68f006de1

Affected versions

Other

ui-v3-rc1

v2.*

v2.0.0

v2.0.0-alpha1

v2.0.0-alpha2

v2.0.0-alpha3

v2.0.0-beta1

v2.1.0

v2.1.0-alpha1

v2.1.0-beta1

v2.1.0-beta2

v2.1.1

v2.10.0-rc1

v2.2.0

v2.2.1

v2.3.0-rc1

v2.3.0-rc2

v2.3.0-rc3

v3.*

v3.1.0-rc1

v3.2.0-rc1

v3.2.0-rc2

v3.2.0-rc3

v3.2.0-rc4

v3.3.0-rc1

v3.3.0-rc2

v3.3.0-rc3

v3.3.0-rc4

v3.3.0-rc5

v3.3.0-rc6

v3.3.0-rc7

v3.3.0-rc8

v3.4.0-rc1

v3.4.0-rc2

v3.4.0-rc3

v3.4.0-rc4

v3.5.0

v3.5.0-rc1

v3.5.0-rc2

v3.6.0

v3.6.0-rc1

v3.6.0-rc2

v3.6.0-rc3

v3.6.0-rc4

v3.7.0-rc1

v3.7.0-rc2

v3.7.0-rc3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66626.json"