CVE-2025-66626 – This vulnerability in Argo Workflows allows att... (How to Fix)

Q: How do I fix CVE-2025-66626?

1. Upgrade Argo Workflows to version 3.6.14 or 3.7.5. 2. Update your Helm chart or deployment manifests. 3. Restart all Argo Workflows components. 4. Verify the new version is running.

Q: What is the severity of CVE-2025-66626?

CVE-2025-66626 has a CVSS score of 8.1 (HIGH). This vulnerability in Argo Workflows allows attackers to overwrite the argoexec file with malicious scripts via specially crafted archives containing symbolic links. When exploited, this leads to arbitrary code execution at pod startup. Organizations using vulnerable Argo Workflows versions on Kubernetes are affected.

📋 TL;DR

This vulnerability in Argo Workflows allows attackers to overwrite the argoexec file with malicious scripts via specially crafted archives containing symbolic links. When exploited, this leads to arbitrary code execution at pod startup. Organizations using vulnerable Argo Workflows versions on Kubernetes are affected.

💻 Affected Systems

Products:

Argo Workflows

Versions: Versions <=3.6.13 and versions 3.7.0 through 3.7.4

Operating Systems: Linux (Kubernetes environments)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions; the previous patch for CVE-2025-62156 does not protect against this specific symbolic link attack.

📦 What is this software?

Argo Workflows by Argoproj

View all CVEs affecting Argo Workflows →

Argo Workflows by Argoproj

View all CVEs affecting Argo Workflows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Kubernetes pods running Argo Workflows, allowing attackers to execute arbitrary code, steal sensitive data, pivot to other cluster resources, and potentially achieve cluster-wide compromise.

🟠

Likely Case

Attackers gain code execution within affected pods, enabling data theft, lateral movement within the cluster, and disruption of workflow operations.

🟢

If Mitigated

With proper network segmentation, pod security policies, and limited permissions, impact could be contained to individual pods without cluster-wide compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to submit malicious archives to Argo Workflows; authenticated access or compromised workflow inputs are typically needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions 3.6.14 and 3.7.5

Vendor Advisory: https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh

Restart Required: Yes

Instructions:

1. Upgrade Argo Workflows to version 3.6.14 or 3.7.5. 2. Update your Helm chart or deployment manifests. 3. Restart all Argo Workflows components. 4. Verify the new version is running.

🔧 Temporary Workarounds

Restrict archive sources

all

Limit workflow inputs to trusted sources only and validate all archive files before processing.

Implement pod security policies

linux

Use Kubernetes PodSecurityPolicy or Pod Security Standards to restrict pod capabilities and prevent privilege escalation.

kubectl apply -f restrictive-pod-security-policy.yaml

🧯 If You Can't Patch

Implement strict network policies to isolate Argo Workflows pods from sensitive resources
Enable audit logging for all workflow executions and monitor for suspicious archive processing

🔍 How to Verify

Check if Vulnerable:

Check Argo Workflows controller version: kubectl get deployment argo-workflows -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl exec deploy/argo-workflows -- argo version

Verify Fix Applied:

Confirm version is 3.6.14 or 3.7.5: kubectl get pods -l app=argo-workflows -o jsonpath='{.items[*].spec.containers[*].image}'

📡 Detection & Monitoring

Log Indicators:

Unusual archive processing errors
Multiple failed untar operations
Unexpected file modifications in /var/run/argo/

Network Indicators:

Suspicious outbound connections from Argo pods
Unexpected data exfiltration patterns

SIEM Query:

source="argo-workflows" AND (error="untar" OR "symbolic link" OR "/var/run/argo/argoexec")

📊 Metadata

CVE ID: CVE-2025-66626

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-23

EPSS Score: 0.08% exploit probability (23.1th percentile)

Published: December 9, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/advisories/GHSA-p84v-gxvw-73pf Not Applicable
https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 Product
https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1 Patch
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh Exploit,Vendor Advisory
https://github.com/advisories/GHSA-p84v-gxvw-73pf Not Applicable
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66626, you might also want to check these: