Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN866
_____________________________________________________________________

DATE                : 17/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running argo-workflows (Go) versions
                               prior to 3.7.5, 3.6.14.

=====================================================================
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh
_____________________________________________________________________

RCE via ZipSlip and symbolic links in argoproj/argo-workflows
High
Joibel published GHSA-xrqc-7xgx-c9vh Dec 9, 2025

Package
github.com/argoproj/argo-workflows (Go)

Affected versions
>=3.7.0, <=3.7.5
<3.6.14

Patched versions
3.7.5
3.6.14


Description

Summary

The patch deployed against CVE-2025-62156 is ineffective against
malicious archives containing symbolic links.
Details

The untar code that handles symbolic links in archives is unsafe.
Concretely, the computation of the link's target and the subsequent
check are flawed:

argo-workflows/workflow/executor/executor.go

Lines 1034 to 1037 in 5291e0b
 linkTarget := filepath.Join(filepath.Dir(target), header.Linkname) 
 if !strings.HasPrefix(filepath.Clean(linkTarget), filepath.Clean(dest)+string(os.PathSeparator)) { 
 	return fmt.Errorf("illegal symlink target: %s -> %s", header.Name, header.Linkname) 
 } 

PoC

    Create a malicious archive containing two files: a symbolik link
with path "./work/foo" and target "/etc", and a normal text fil
 with path "./work/foo/hostname".
    Deploy a workflow like the one in GHSA-p84v-gxvw-73pf with the
malicious archive mounted at /work/tmp.
    Submit the workflow and wait for its execution.
    Connect to the corresponding pod and observe that the file
"/etc/hostname" was altered by the untar operation performed on
the malicious archive. The attacker can hence alter arbitrary
files in this way.


Impact

The attacker can overwrite the file /var/run/argo/argoexec with
a script of their choice, which will be executed at the pod's
start.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVE ID
CVE-2025-66626

Weaknesses
Weakness CWE-23
Weakness CWE-78

Credits

    @cristianstaicu cristianstaicu Reporter
    @meenakshisl meenakshisl 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================