N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62157

GHSA ID

GHSA-c2hv-4pfj-mm2r

EPSS Score

CWE

CWE-522

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62157

CVE-2025-62157: Argo Workflow may expose artifact repository credentials

Summary

An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository.

Details

An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal, delete or modify the data that resides there. The workflow-controller logs show the credentials in plaintext.

Impact

An attacker with access to pod logs in the argo namespace can extract plaintext credentials from the workflow-controller logs and gain access to the artifact repository. This can lead to:

Data exfiltration – theft of sensitive or proprietary artifacts
Data tampering – modification of workflows or artifacts
Data destruction – deletion of stored artifacts, leading to potential loss of critical data or pipeline failure

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62157

GHSA ID

GHSA-c2hv-4pfj-mm2r

EPSS Score

CWE

CWE-522

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-workflows/v3	go	>= 3.7.0, < 3.7.3	3.7.3
github.com/argoproj/argo-workflows/v3	go	< 3.6.12	3.6.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the updateConfig function within the WorkflowController logs the entire application configuration, which includes sensitive credentials for the artifact repository. The analysis of the provided patches confirms this. Both commits, 18ad5138b6bcb2aba04e00b4ec657bc6b8fad8df and bded09fe4abd37cb98d7fc81b4c14a6f5034e9ab, modify the workflow/controller/config.go file. The change in both patches is the removal of the line log.Info("Configuration:\n" + string(bytes)), which was responsible for logging the marshalled configuration data. This line is replaced with a non-sensitive message, log.Info("Configuration updated"). This indicates that the updateConfig function, when called in a vulnerable version, would log the credentials, making it the primary vulnerable function. An attacker who can view the logs of the workflow-controller pod could exploit this to gain unauthorized access to the artifact repository.

Vulnerable functions

WorkflowController.updateConfig

workflow/controller/config.go

The function `updateConfig` in `WorkflowController` was logging the entire workflow controller configuration by marshaling the `wfc.Config` object into YAML and printing it. This configuration object contained sensitive credentials for the artifact repository in plaintext. An attacker with permissions to read the `workflow-controller` logs could therefore steal these credentials.

WAF Protection Rules

WAF Rule

### Summ*ry *n *tt**k*r w*o **s p*rmissions to r*** lo*s *rom po*s in * n*m*sp*** wit* *r*o Work*low **n r*** `work*low-*ontroll*r` lo*s *n* **t *r***nti*ls to t** *rti***t r*pository. ### **t*ils *n *tt**k*r, *y r***in* t** lo*s o* t** work*low *on

Reasoning

T** vuln*r**ility *xists ****us* t** `up**t**on*i*` *un*tion wit*in t** `Work*low*ontroll*r` lo*s t** *ntir* *ppli**tion *on*i*ur*tion, w*i** in*lu**s s*nsitiv* *r***nti*ls *or t** *rti***t r*pository. T** *n*lysis o* t** provi*** p*t***s *on*irms t*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62157: Argo Workflow may expose artifact repository credentials

Summary

Details

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI