Argo Workflows Nil Pointer Dereference Vulnerability in RBAC Authorization Delegation

A denial-of-service vulnerability has been identified in Argo Workflows versions 4.0.0 prior to 4.0.5. The issue arises from a nil pointer dereference in the RBAC authorization function, specifically when the SSO delegation to namespace is enabled. This flaw causes the server to panic for SSO users whose claims align with namespace-level RBAC rules but not with SSO-namespace rules. The vulnerability has been patched in version 4.0.5.

Impact

Exploitation of this vulnerability leads to a permanent denial-of-service condition for affected SSO users, causing HTTP 500 errors on every request. While the server process continues to run, the impacted user experience is severely disrupted.

Reproduction

To reproduce this vulnerability, deploy Argo Workflows v4.0.4 on a Kubernetes cluster with Dex as the OIDC provider. Set the SSO delegation to namespace active and create a ServiceAccount RBAC rule in a target namespace without a matching rule in the SSO namespace. After authenticating via the Dex SSO flow, requesting workflows in the target namespace will trigger the nil pointer dereference panic, as logged by the server.

Remediation

Users can upgrade to Argo Workflows version 4.0.5 to address this vulnerability.