Argo Workflows, an open-source container-native workflow engine for Kubernetes, suffers from a critical relative path traversal vulnerability (CVE-2025-66626) in versions 3.6.13 and below and 3.7.0 through 3.7.4. The root cause lies in unsafe untar code that improperly handles symbolic links within archive files. Specifically, the computation of a symbolic link's target path and the subsequent security checks are flawed, allowing an attacker to craft malicious archives containing symbolic links that traverse directories and overwrite arbitrary files on the host filesystem. The primary impact is the ability to overwrite the file /var/run/argo/argoexec with attacker-controlled scripts. Since this file is executed at pod startup, the attacker gains the ability to execute arbitrary code within the pod context, potentially escalating privileges or disrupting workflows. Notably, the patch for a related vulnerability (CVE-2025-62156) does not mitigate this issue, indicating a distinct flaw in symbolic link handling. The vulnerability requires network access and low privileges (PR:L) but no user interaction (UI:N). The CVSS v3.1 score of 8.1 reflects a high severity due to the ease of exploitation and significant impact on integrity and availability of Kubernetes workloads orchestrated by Argo Workflows. This vulnerability affects multiple versions, including all releases prior to 3.6.14 and between 3.7.0 and 3.7.4, necessitating urgent patching. No known exploits are currently reported in the wild, but the potential for impactful attacks is high given the widespread use of Argo Workflows in cloud-native environments.

For European organizations, this vulnerability poses a significant risk to Kubernetes-based CI/CD pipelines and workflow automation relying on Argo Workflows. Successful exploitation can lead to arbitrary code execution inside pods, enabling attackers to manipulate workflow execution, exfiltrate sensitive data, or disrupt critical business processes. The ability to overwrite executable files at pod startup can facilitate persistent footholds and lateral movement within containerized environments. Given the increasing adoption of Kubernetes and Argo Workflows in European enterprises, especially in sectors like finance, manufacturing, and public services, the impact includes potential operational downtime, data integrity loss, and compliance violations under regulations such as GDPR. Additionally, compromised workflows could be leveraged to deploy further malware or ransomware, amplifying the threat. The lack of required user interaction and relatively low privilege requirements increase the attack surface, especially in multi-tenant or shared Kubernetes clusters common in European cloud providers.

European organizations should immediately upgrade Argo Workflows to versions 3.6.14 or 3.7.5 or later to remediate this vulnerability. Until upgrades are applied, restrict network access to Argo Workflows endpoints to trusted users and networks to limit exposure. Implement strict validation and sanitization of all archive files used in workflows, particularly scrutinizing symbolic links to prevent path traversal. Employ Kubernetes Pod Security Policies or equivalent admission controllers to restrict execution privileges and prevent unauthorized file overwrites. Monitor workflow execution logs and container file systems for unusual modifications to /var/run/argo/argoexec or other critical files. Use runtime security tools to detect anomalous pod startup behaviors indicative of exploitation. Regularly audit and rotate credentials and secrets used within workflows to limit attacker persistence. Finally, coordinate with cloud providers and security teams to ensure rapid incident response capabilities in case of exploitation.