CVE-2021-37914: 
Wolfi vulnerability analysis and mitigation

In Argo Workflows through version 3.1.3, a security vulnerability exists when EXPRESSION_TEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows. This vulnerability allows an attacker to potentially disrupt a workflow by exploiting the fact that expression template output is evaluated (NVD).

The vulnerability stems from the way expression template output is evaluated as a literal part of the JSON-stringified template. The issue occurs because the golang JSON marshaler allows duplicate keys and the stringified template keys are alphabetically ordered, allowing a poisoned 'env' value to override the original 'args' field. This enables attackers to rewrite parts of a workflow using only input parameters (GitHub Issue).

When exploited, this vulnerability allows attackers to disrupt workflow execution and potentially rewrite parts of a workflow. The motivated attacker could find various ways to maliciously mutate a workflow, affecting its intended operation (NVD).

Users can mitigate this vulnerability by either upgrading to a version after 3.1.3 or by disabling EXPRESSION_TEMPLATES in the controller configuration. For environments where these options are not immediately available, limiting access to workflow input parameters to trusted users is recommended (GitHub Issue).