Argo Workflows Unchecked Annotation Parsing Leads to Controller Crash

A denial-of-service vulnerability has been identified in Argo Workflows versions 3.6.5 through 4.0.4. The issue arises from an unchecked array index in the pod informer's 'podGCFromPod()' function. When a workflow pod contains a malformed 'workflows.argoproj.io/pod-gc-strategy' annotation, it triggers a controller-wide panic. This panic occurs within an informer goroutine, bypassing the controller's recovery mechanism, and crashes the entire controller process. The affected pod persists across restarts, creating a crash loop that disrupts all workflow processing until the pod is manually deleted.

Impact

Exploiting this vulnerability causes the Argo Workflows controller to crash, leading to a crash-looping state that halts all workflow processing in the cluster. This denial-of-service condition persists until the problematic pod is manually removed.

Reproduction

To reproduce this vulnerability, apply a workflow to a cluster running an affected version of the Argo Workflows controller. The workflow must include a 'workflows.argoproj.io/pod-gc-strategy' annotation with a value that does not contain a slash. Once the workflow is submitted, the controller will crash within seconds, entering a 'CrashLoopBackOff' state. The controller logs will indicate a panic due to an 'index out of range' error, confirming that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to Argo Workflows versions 4.0.5 or 3.7.14, where this vulnerability has been fixed.