CVE-2025-32445

Name of the Vulnerable Software and Affected Versions Argo Events versions prior to 1.9.6

Description Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create or modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container, thus any specification under container such as command, args, securityContext, volumeMount can be specified and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host if they specified the EventSource/Sensor CR with some particular properties under template.

Recommendations For versions prior to 1.9.6, update to version 1.9.6 to fix the vulnerability. As a temporary workaround, consider restricting access to the EventSource and Sensor custom resources to prevent users from creating or modifying them with privileged properties. Additionally, restrict the use of spec.template and spec.template.container in EventSource and Sensor CRs to minimize the risk of exploitation.