GHSA-c2hv-4pfj-mm2r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c2hv-4pfj-mm2r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-c2hv-4pfj-mm2r/GHSA-c2hv-4pfj-mm2r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c2hv-4pfj-mm2r
- Aliases
- Downstream
- Related
- Published
- 2025-10-14T18:43:01Z
- Modified
- 2025-11-05T22:10:52Z
- Severity
-
- 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Argo Workflow may expose artifact repository credentials
- Details
-
Summary
An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read
workflow-controllerlogs and get credentials to the artifact repository.Details
An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal, delete or modify the data that resides there. The
workflow-controllerlogs show the credentials in plaintext.<img width="1366" alt="screen" src="https://github.com/user-attachments/assets/5642b2be-edcf-4050-bf47-747d05352698" />
Impact
An attacker with access to pod logs in the
argonamespace can extract plaintext credentials from theworkflow-controllerlogs and gain access to the artifact repository. This can lead to: - Data exfiltration – theft of sensitive or proprietary artifacts - Data tampering – modification of workflows or artifacts - Data destruction – deletion of stored artifacts, leading to potential loss of critical data or pipeline failure - Database specific
{ "cwe_ids": [ "CWE-522" ], "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2025-10-14T18:43:01Z", "nvd_published_at": "2025-10-14T15:16:12Z" }- References
-
- https://github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2r
- https://nvd.nist.gov/vuln/detail/CVE-2025-62157
- https://github.com/argoproj/argo-workflows/commit/18ad5138b6bcb2aba04e00b4ec657bc6b8fad8df
- https://github.com/argoproj/argo-workflows/commit/bded09fe4abd37cb98d7fc81b4c14a6f5034e9ab
- https://github.com/argoproj/argo-workflows
- https://pkg.go.dev/vuln/GO-2025-4024
Affected packages
Go / github.com/argoproj/argo-workflows/v3
Package
- Name
- github.com/argoproj/argo-workflows/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-workflows/v3
Go / github.com/argoproj/argo-workflows/v3
Package
- Name
- github.com/argoproj/argo-workflows/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-workflows/v3