Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66626

CVE-2025-66626: Argo Workflows RCE Vulnerability

CVE-2025-66626 is a remote code execution flaw in Argoproj Argo Workflows caused by unsafe untar handling of symbolic links. Attackers can overwrite critical files to execute malicious code at pod start.

Published:

CVE-2025-66626 Overview

CVE-2025-66626 is a symlink attack vulnerability in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The vulnerability exists in the unsafe untar code that handles symbolic links in archives, where the computation of a link's target and the subsequent validation check are flawed. This allows an attacker to craft malicious archives containing symbolic links that can bypass path validation, enabling arbitrary file overwrite within the container.

Critical Impact

An attacker can overwrite the critical file /var/run/argo/argoexec with a script of their choice, which would be executed at pod startup, potentially leading to container compromise and unauthorized access to Kubernetes cluster resources.

Affected Products

  • Argoproj Argo Workflows versions 3.6.13 and below
  • Argoproj Argo Workflows versions 3.7.0 through 3.7.4

Discovery Timeline

  • 2025-12-09 - CVE-2025-66626 published to NVD
  • 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-66626

Vulnerability Analysis

This vulnerability represents a bypass of the previous security patch deployed against CVE-2025-62156. The flawed symlink validation in the archive extraction code fails to properly resolve and validate symbolic link targets before creating them on the filesystem.

The vulnerable code path in workflow/executor/executor.go attempts to validate symlink targets by joining the directory path with the link name and checking if the result stays within the destination directory. However, the validation is ineffective against crafted archives because it does not properly handle absolute symlink targets before performing the path join operation. When a symlink with an absolute path target is encountered, the join operation produces an unexpected result, allowing the symlink to point outside the intended extraction directory.

Root Cause

The root cause lies in the improper validation of symbolic link targets during tar archive extraction. The original code computed the link target by joining the directory of the target file with header.Linkname without first checking whether the link target is an absolute path. This oversight allows attackers to craft archives with symbolic links containing absolute paths that escape the intended destination directory bounds.

Attack Vector

An attacker can exploit this vulnerability by:

  1. Crafting a malicious tar archive containing a symbolic link with a carefully constructed target path
  2. Uploading or providing this archive to an Argo Workflow that processes artifacts
  3. When the archive is extracted, the symlink bypasses the path validation check
  4. The attacker overwrites /var/run/argo/argoexec with a malicious script
  5. The malicious script executes when the pod starts, granting the attacker code execution within the container
go
 			if !strings.HasPrefix(target, filepath.Clean(dest)+string(os.PathSeparator)) {
 				return fmt.Errorf("illegal file path: %s", header.Name)
 			}
 			switch header.Typeflag {
 			case tar.TypeSymlink:
-				linkTarget := filepath.Join(filepath.Dir(target), header.Linkname)
+				// Validate symlink target before creating it
+				linkTarget := header.Linkname
+				if !filepath.IsAbs(linkTarget) {
+					linkTarget = filepath.Join(filepath.Dir(target), header.Linkname)
+				}
 				if !strings.HasPrefix(filepath.Clean(linkTarget), filepath.Clean(dest)+string(os.PathSeparator)) {
 					return fmt.Errorf("illegal symlink target: %s -> %s", header.Name, header.Linkname)
 				}
+				// Create parent directory if needed
+				if err := os.MkdirAll(filepath.Dir(target), 0o755); err != nil {
+					return err
+				}
 				err := os.Symlink(header.Linkname, target)
 				if err != nil {
 					return err

Source: GitHub Commit 6b92af23f35aed4d4de8b04adcaf19d68f006de1

Detection Methods for CVE-2025-66626

Indicators of Compromise

  • Unexpected modifications to /var/run/argo/argoexec file in workflow pods
  • Symbolic links within extracted artifact directories pointing to paths outside the extraction destination
  • Unusual script execution patterns during pod initialization
  • Unexpected process spawning from argoexec processes

Detection Strategies

  • Monitor filesystem changes to critical Argo Workflows executables, particularly /var/run/argo/argoexec
  • Implement runtime security monitoring for container workloads to detect file integrity violations
  • Audit artifact handling workflows for archives containing suspicious symbolic links
  • Deploy container security solutions that can detect path traversal attempts during archive extraction

Monitoring Recommendations

  • Enable Kubernetes audit logging to track artifact upload and extraction activities
  • Configure alerts for unexpected file modifications in Argo executor containers
  • Implement SentinelOne Singularity for Kubernetes to monitor container runtime behavior
  • Review workflow definitions for untrusted artifact sources that could deliver malicious archives

How to Mitigate CVE-2025-66626

Immediate Actions Required

  • Upgrade Argo Workflows to version 3.6.14 or 3.7.5 immediately
  • Audit existing workflows for any artifacts sourced from untrusted locations
  • Review pod security policies to restrict write access to critical system paths
  • Implement network policies to limit artifact sources to trusted repositories

Patch Information

The fix has been released in Argo Workflows versions 3.6.14 and 3.7.5. The patch adds proper validation for absolute symbolic link targets before the path join operation. The security fix ensures that both relative and absolute symlink targets are validated against the destination directory bounds before the symlink is created on the filesystem.

For detailed patch information, refer to the GitHub Security Advisory GHSA-xrqc-7xgx-c9vh and the security patch commit.

Workarounds

  • Restrict artifact sources to only trusted, verified repositories until patches can be applied
  • Implement admission controllers to reject workflows that process artifacts from external sources
  • Use read-only root filesystems for Argo executor containers where possible
  • Deploy runtime security solutions to block unauthorized file modifications in container workloads
bash
# Upgrade Argo Workflows using Helm
helm repo update
helm upgrade argo-workflows argo/argo-workflows --version 3.7.5 -n argo

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.