CVE-2025-66626: RCE via ZipSlip and symbolic links in argoproj/argo-workflows
The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.
References
- github.com/advisories/GHSA-p84v-gxvw-73pf
- github.com/advisories/GHSA-xrqc-7xgx-c9vh
- github.com/argoproj/argo-workflows
- github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go
- github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1
- github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh
- nvd.nist.gov/vuln/detail/CVE-2025-66626
Code Behaviors & Features
Detect and mitigate CVE-2025-66626 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →