CVE-2025-62157
📋 TL;DR
Argo Workflows versions before 3.6.12 and 3.7.0-3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. Attackers with pod log read permissions can steal these credentials to access artifact repositories. Organizations using vulnerable Argo Workflows versions on Kubernetes are affected.
💻 Affected Systems
- Argo Workflows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain artifact repository credentials, potentially accessing sensitive build artifacts, source code, or deploying malicious containers to production environments.
Likely Case
Internal attackers or compromised accounts with pod log access steal credentials to access artifact repositories, potentially exfiltrating sensitive data or tampering with artifacts.
If Mitigated
With strict RBAC limiting pod log access to trusted administrators only, credential exposure remains contained within the security perimeter.
🎯 Exploit Status
Exploitation requires Kubernetes RBAC permissions to read pod logs in the namespace running Argo Workflows. Once obtained, credentials are visible in plaintext logs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.12 or 3.7.3
Vendor Advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-c2hv-4pfj-mm2r
Restart Required: Yes
Instructions:
1. Update Argo Workflows to version 3.6.12 or 3.7.3 using your deployment method (Helm, kubectl, etc.). 2. Restart the workflow-controller pod to apply the fix. 3. Verify logs no longer contain plaintext credentials.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states no known workarounds exist. Updating to patched versions is required.
🧯 If You Can't Patch
- Restrict RBAC permissions to prevent unauthorized users from reading pod logs in namespaces running Argo Workflows.
- Implement log monitoring to detect access to workflow-controller logs and alert on suspicious credential exposure patterns.
🔍 How to Verify
Check if Vulnerable:
Check Argo Workflows version using 'kubectl get deployment -n <argo-namespace> argo-workflows -o jsonpath="{.spec.template.spec.containers[0].image}" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' and compare with affected versions.Check Version:
kubectl get deployment -n <argo-namespace> argo-workflows -o jsonpath="{.spec.template.spec.containers[0].image}"Verify Fix Applied:
After patching, check workflow-controller logs for plaintext credentials using 'kubectl logs -n <argo-namespace> <workflow-controller-pod> | grep -i "password\|token\|credential"' to confirm they are no longer exposed.📡 Detection & Monitoring
Log Indicators:
- Plaintext artifact repository credentials (passwords, tokens, keys) in workflow-controller pod logs
- Unauthorized access attempts to read workflow-controller logs
Network Indicators:
- Unexpected connections from workflow-controller pods to artifact repositories using stolen credentials
SIEM Query:
source="kubernetes" pod_name="workflow-controller-*" log_message=/(password|token|credential|key)\s*[:=]\s*[^\s]{8,}/i