CVE-2025-62157 HIGH

CVE-2025-62157: Argo Workflows exposes artifact repository credentials in workflow-controller logs

Vendor Argoproj
Product argo-workflows
Weakness CWE-522 · Insufficiently protected credentials
Published October 14, 2025
Last update October 14, 2025

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.

Key dates

02Disclosure timeline

October 14, 2025 CVE published
October 14, 2025 Record updated