CVE-2025-62156

CVE-2025-62156 is a Zip Slip path traversal vulnerability in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The issue affects versions prior to 3.6.12 and versions 3.7.0 through 3.7.2, specifically in the artifact extraction logic within workflow/executor/executor.go. This logic uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that the cleaned header.Name remains within the intended /work/tmp extraction directory, allowing malicious archive entries with traversal sequences or absolute paths to write files outside the target path.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high integrity (I:H) and availability (A:H) impacts with unchanged scope (S:U), as scored at CVSS 3.1 8.1. By supplying a malicious archive in a workflow artifact, the attacker can overwrite or create files in sensitive system directories inside the affected container, such as /etc/passwd, /etc/hosts, or /etc/crontab, potentially enabling privilege escalation or persistence within the container (CWE-22).

The Argo Workflows security advisory (GHSA-p84v-gxvw-73pf) and related commits recommend updating to version 3.6.12 or 3.7.3 for remediation. These patches address the validation flaw, as shown in the fixing commits and the original vulnerable code at executor.go line 993.