argoproj/argo-workflows
Moderate fix2 remedies
cpe:2.3:a:argo_workflows_project:argo_workflows:*:*:*:*:kubernetes:*:*
Moderate fix2 remedies
- <= 3.6.13
- >= 3.7.0, <= 3.7.4
Argo Workflows Zip Slip Vulnerability Leading to Remote Code Execution
Vulnerability
Patched
A remote code execution vulnerability exists in Argo Workflows versions 3.6.13 and earlier, as well as 3.7.0 to 3.7.4. The issue arises from unsafe extraction code that improperly handles symbolic links in archived files. This flaw allows an attacker to overwrite the /var/run/argo/argoexec file with a custom script, which is executed when the pod starts. The vulnerability exploits a path traversal issue to bypass normal extraction constraints, writing files to critical system directories.
Impact
Exploitation of this vulnerability allows for remote code execution within the affected pod, by overwriting the argoexec file with a malicious script that is executed at pod startup.
Reproduction
To reproduce this vulnerability, upload a malicious tar.gz file containing path traversal entries that exploit the Zip Slip vulnerability to an S3 bucket. Then, create a workflow in Argo Workflows that downloads this file and extracts it. The extraction process will overwrite a file in the /etc/ directory of the container, demonstrating the vulnerability.
Remediation
Users can upgrade to Argo Workflows versions 3.6.14 or 3.7.5, where this vulnerability has been patched.
Added: Dec 9, 2025, 9:39 PM
Updated: Dec 9, 2025, 9:39 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
2.5exploitability
6.2remediation
7.7relevance
1.4threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.