CVE-2025-62156

Name of the Vulnerable Software and Affected Versions Argo Workflows versions prior to 3.6.12 Argo Workflows versions 3.7.0 through 3.7.2

Description Argo Workflows, a container-native workflow engine for Kubernetes, contains a Zip Slip path traversal issue during artifact extraction. The unpack/untar logic in workflow/executor/executor.go uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name remains within the intended extraction directory. A malicious archive entry can supply a traversal or absolute path that, after cleaning, overrides the destination directory, allowing files to be written outside the expected location and potentially into system directories like /etc inside the container. This enables arbitrary file creation or overwrite in system configuration locations, potentially leading to privilege escalation or persistence. The vulnerability affects the extraction of archive files (ZIP or tar archives). The vulnerable component is the artifact extraction process.

Recommendations Update to Argo Workflows version 3.6.12 or 3.7.3.