Relative Path Traversal in github.com/argoproj/argo-workflows/v3/workflow/executor | CVE-2025-66626

Q: How to fix?

Upgrade github.com/argoproj/argo-workflows/v3/workflow/executor to version 3.7.5, 3.6.14 or higher.

Introduced: 9 Dec 2025

NewCVE-2025-66626 (opens in a new tab) CWE-23 (opens in a new tab)

How to fix?

Upgrade github.com/argoproj/argo-workflows/v3/workflow/executor to version 3.7.5, 3.6.14 or higher.

Overview

Affected versions of this package are vulnerable to Relative Path Traversal in the untar process. An attacker can execute arbitrary code with elevated privileges by crafting a malicious archive containing symbolic links that overwrite critical files such as /var/run/argo/argoexec, which will be executed at pod startup.

Note:

The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Relative Path Traversal Affecting github.com/argoproj/argo-workflows/v3/workflow/executor package, versions >=3.7.0-rc1 <3.7.5<3.6.14

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 9 Dec 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk