What is CVE-2025-66626?

CVE-2025-66626 is a high-severity vulnerability in Argoproj Argo-workflows, classified under Relative Path Traversal. CVSS score: 8.1/10. Published 2025-12-09.

How severe is CVE-2025-66626?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Argoproj Argo-workflows

CVE-2025-66626

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives…

EPSS: 0.001 (25.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.

Affected products

Argoproj Argo-workflows — versions github.com/argoproj/argo-workflows/v3 >= 3.7.0, < 3.7.5, github.com/argoproj/argo-workflows/v3 < 3.6.14, github.com/argoproj/argo-workflows <= 2.5.3-rc4

Weakness classification (CWE)

References

https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh (x_refsource_CONFIRM)
https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1 (x_refsource_MISC)
https://github.com/advisories/GHSA-p84v-gxvw-73pf (x_refsource_MISC)
https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-66626?: CVE-2025-66626 is a high-severity vulnerability in Argoproj Argo-workflows, classified under Relative Path Traversal. CVSS score: 8.1/10. Published 2025-12-09.
How severe is CVE-2025-66626?: High severity. CVSS v3 base score is 8.1 out of 10.