Directory Traversal Affecting argo-workflow-controller-compat-3.6 package, versions <3.6.12-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.54% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-ARGOWORKFLOWCONTROLLERCOMPAT36-13571155
  • published16 Oct 2025
  • disclosed14 Oct 2025

Introduced: 14 Oct 2025

CVE-2025-62156  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Minimos:latest argo-workflow-controller-compat-3.6 to version 3.6.12-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream argo-workflow-controller-compat-3.6 package and not the argo-workflow-controller-compat-3.6 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 contain a Zip Slip path traversal vulnerability in artifact extraction. During artifact extraction the unpack/untar logic (workflow/executor/executor.go) uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name stays within the intended extraction directory. A malicious archive entry can supply a traversal or absolute path that, after cleaning, overrides the destination directory and causes files to be written outside the /work/tmp extraction path and into system directories such as /etc inside the container. The vulnerability enables arbitrary file creation or overwrite in system configuration locations (for example /etc/passwd, /etc/hosts, /etc/crontab), which can lead to privilege escalation or persistence within the affected container. Update to 3.6.12 or 3.7.3 to remediate the issue.

CVSS Base Scores

version 3.1