8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66626

CVE-2025-66626: RCE via ZipSlip and symbolic links in argoproj/argo-workflows

Summary

The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.

Details

The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed: https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037

PoC

Create a malicious archive containing two files: a symbolik link with path "./work/foo" and target "/etc", and a normal text file with path "./work/foo/hostname".
Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp.
Submit the workflow and wait for its execution.
Connect to the corresponding pod and observe that the file "/etc/hostname" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitrary files in this way.

Impact

The attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which will be executed at the pod's start.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66626

CVE-2025-66626:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-workflows/v3	go	>= 3.7.0, < 3.7.5	3.7.5
github.com/argoproj/argo-workflows/v3	go	< 3.6.14	3.6.14
github.com/argoproj/argo-workflows	go	<= 2.5.3-rc4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the untar function in workflow/executor/executor.go. The provided commit 6b92af23f35aed4d4de8b04adcaf19d68f006de1 directly patches this function to fix a ZipSlip vulnerability related to symbolic links. The patch shows that the original code did not properly sanitize the header.Linkname for symbolic links, allowing a symlink to point outside the destination directory. The patch adds validation for the symlink's target. Furthermore, it adds checks before writing regular files (tar.TypeReg) to ensure the file's path does not resolve to a location outside the destination directory via a previously created malicious symlink. The added test case TestUntarMaliciousSymlink confirms the exact attack scenario. Therefore, the untar function is the identified vulnerable function.

Vulnerable functions

untar

workflow/executor/executor.go

The `untar` function was vulnerable to a path traversal (ZipSlip) attack. It did not correctly validate symbolic link targets within a tar archive. An attacker could craft an archive with a symlink pointing to a directory outside the extraction destination (e.g., `../../../../etc`). When the function processed a subsequent file entry intended to be written inside this symlinked directory, it would write the file to an arbitrary location on the filesystem, leading to remote code execution. The original code did not properly validate that the symlink's target was within the destination directory, nor did it check if the path for a regular file traversed a malicious symlink.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66626: RCE via ZipSlip and symbolic links in argoproj/argo-workflows

Summary

Details

PoC

Impact

CVE-2025-66626:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-66626: RCE via ZipSlip and symbolic links in argoproj/argo-workflows

Summary

Details

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.1

8.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI