CVE-2025-66626 HIGH

CVE-2025-66626: argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links

Vendor Argoproj

Product argo-workflows

Weakness CWE-23

Published December 9, 2025

Last update December 12, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Key dates

02Disclosure timeline

December 9, 2025 CVE published

December 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66626 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

Identifiers

CVE CVE-2025-66626

CWE CWE-23

CVSS 8.1 / HIGH

Affected versions

Vendor Argoproj

Product argo-workflows

Affected github.com/argoproj/argo-workflows/v3 >= 3.7.0, < 3.7.5

Vendor Argoproj

Product argo-workflows

Affected github.com/argoproj/argo-workflows/v3 < 3.6.14

Vendor Argoproj

Product argo-workflows

Affected github.com/argoproj/argo-workflows <= 2.5.3-rc4

CVE-2025-66626: argoproj/argo-workflows is vulnerable to RCE via ZipSlip and symbolic links

01Description

02Disclosure timeline

03References

04Related CVE