CVE-2025-62156: 
Wolfi vulnerability analysis and mitigation

Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes, contains a Zip Slip path traversal vulnerability (CVE-2025-62156) in versions prior to 3.6.12 and versions 3.7.0 through 3.7.2. The vulnerability was discovered and disclosed on October 14, 2025, affecting the artifact extraction functionality (GitHub Advisory).

The vulnerability exists in the unpack/untar logic (workflow/executor/executor.go) where the code uses filepath.Join(dest, filepath.Clean(header.Name)) without validating that header.Name stays within the intended extraction directory. This implementation allows a malicious archive entry to supply a traversal or absolute path that, after cleaning, can override the destination directory and cause files to be written outside the /work/tmp extraction path and into system directories such as /etc inside the container. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (GitHub Advisory).

The vulnerability enables arbitrary file creation or overwrite in system configuration locations (for example /etc/passwd, /etc/hosts, /etc/crontab), which can lead to privilege escalation or persistence within the affected container. This container isolation bypass allows attackers to potentially compromise the security of the container by manipulating critical system files (GitHub Advisory).

Users should update to version 3.6.12 or 3.7.3 to remediate the issue. These patched versions include fixes that properly validate file paths during artifact extraction (GitHub Advisory).