Relative Path Traversal in github.com/argoproj/argo-workflows/workflow/executor | CVE-2025-66626

Q: How to fix?

There is no fixed version for github.com/argoproj/argo-workflows/workflow/executor .

Introduced: 9 Dec 2025

NewCVE-2025-66626 (opens in a new tab) CWE-23 (opens in a new tab)

How to fix?

There is no fixed version for github.com/argoproj/argo-workflows/workflow/executor.

Overview

Affected versions of this package are vulnerable to Relative Path Traversal in the untar process. An attacker can execute arbitrary code with elevated privileges by crafting a malicious archive containing symbolic links that overwrite critical files such as /var/run/argo/argoexec, which will be executed at pod startup.

Note:

The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.

References

GitHub Commit
GitHub Commit
GitHub Commit
Vulnerable Code

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Relative Path Traversal Affecting github.com/argoproj/argo-workflows/workflow/executor package, versions >=0.0.0

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 9 Dec 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk