CVE-2025-66626

HIGH
Published Dec 9, 2025 Modified Dec 19, 2025 CWE-23 CWE-78 CWE-59

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Is your site exposed to CVE-2025-66626?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

8.1
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Weakness Type (CWE)

CWE-23 CWE-23
CWE-78 OS Command Injection
CWE-59 CWE-59

Affected Products

Vendor Product
argoproj argo_workflows
argoproj argo_workflows

References

Frequently Asked Questions

What is CVE-2025-66626? +
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5. It has a CVSS v3.1 base score of 8.1 (HIGH).
How severe is CVE-2025-66626? +
CVE-2025-66626 has a CVSS v3.1 score of 8.1 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-66626? +
CVE-2025-66626 affects products from argoproj, specifically: argo_workflows. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-66626? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-66626 — free, no signup required.