GHSA-c2hv-4pfj-mm2r: Argo Workflow may expose artifact repository credentials

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-62157

Argo Workflow may expose artifact repository credentials

High severity GitHub Reviewed Published Oct 14, 2025 in argoproj/argo-workflows • Updated Oct 14, 2025

Package

gomod github.com/argoproj/argo-workflows/v3 (Go)

Affected versions

>= 3.7.0, < 3.7.3

< 3.6.12

Patched versions

3.7.3

3.6.12

Summary

An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read workflow-controller logs and get credentials to the artifact repository.

Details

An attacker, by reading the logs of the workflow controller pod, can access the artifact repository, and steal, delete or modify the data that resides there. The workflow-controller logs show the credentials in plaintext.

Impact

An attacker with access to pod logs in the argo namespace can extract plaintext credentials from the workflow-controller logs and gain access to the artifact repository. This can lead to:

• Data exfiltration – theft of sensitive or proprietary artifacts
• Data tampering – modification of workflows or artifacts
• Data destruction – deletion of stored artifacts, leading to potential loss of critical data or pipeline failure

References

• GHSA-c2hv-4pfj-mm2r
• https://nvd.nist.gov/vuln/detail/CVE-2025-62157
• argoproj/argo-workflows@18ad513
• argoproj/argo-workflows@bded09f

Published to the GitHub Advisory Database

Oct 14, 2025

Last updated

Oct 14, 2025