CVE-2025-62156
Published: 14 October 2025
Summary
CVE-2025-62156 is a high-severity Path Traversal (CWE-22) vulnerability in Argoproj Argo Workflows. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 45.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path traversal vulnerability by requiring validation of archive entry names (header.Name) to ensure they remain within the intended extraction directory before processing.
Mitigates the specific flaw in Argo Workflows' artifact extraction logic by identifying, reporting, and applying the patch to versions 3.6.12 or 3.7.3.
Limits the impact of successful path traversal by enforcing least privilege for the workflow executor process, preventing writes to sensitive system directories like /etc if running as non-root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Zip Slip path traversal enables arbitrary file writes inside the container (e.g., /etc/passwd for local account creation T1136.001, /etc/crontab for cron persistence T1053.003), facilitating privilege escalation (T1068) via exploitation of the remote workflow service (T1210).
NVD Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack/untar logic…
more
(workflow/executor/executor.go) uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name stays within the intended extraction directory. A malicious archive entry can supply a traversal or absolute path that, after cleaning, overrides the destination directory and causes files to be written outside the /work/tmp extraction path and into system directories such as /etc inside the container. The vulnerability enables arbitrary file creation or overwrite in system configuration locations (for example /etc/passwd, /etc/hosts, /etc/crontab), which can lead to privilege escalation or persistence within the affected container. Update to 3.6.12 or 3.7.3 to remediate the issue.
Deeper analysisAI
CVE-2025-62156 is a Zip Slip path traversal vulnerability in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The issue affects versions prior to 3.6.12 and versions 3.7.0 through 3.7.2, specifically in the artifact extraction logic within workflow/executor/executor.go. This logic uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that the cleaned header.Name remains within the intended /work/tmp extraction directory, allowing malicious archive entries with traversal sequences or absolute paths to write files outside the target path.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high integrity (I:H) and availability (A:H) impacts with unchanged scope (S:U), as scored at CVSS 3.1 8.1. By supplying a malicious archive in a workflow artifact, the attacker can overwrite or create files in sensitive system directories inside the affected container, such as /etc/passwd, /etc/hosts, or /etc/crontab, potentially enabling privilege escalation or persistence within the container (CWE-22).
The Argo Workflows security advisory (GHSA-p84v-gxvw-73pf) and related commits recommend updating to version 3.6.12 or 3.7.3 for remediation. These patches address the validation flaw, as shown in the fixing commits and the original vulnerable code at executor.go line 993.
Details
- CWE(s)