CVE-2025-62157

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows versions prior to 3.6.12 and versions 3.7.0 through 3.7.2 expose artifact repository credentials in plaintext in workflow-controller pod logs. An attacker with permissions to read pod logs in a namespace running Argo Workflows can read the workflow-controller logs and obtain credentials to the artifact repository. Update to versions 3.6.12 or 3.7.3 to remediate the vulnerability. No known workarounds exist.

How to fix CVE-2025-62157

To remediate CVE-2025-62157, upgrade the affected package to a fixed version below.

• —upgrade to 3.6.12 or later
• —no fix listed
• —no fix listed
• —upgrade to 3.7.3 or later
• —upgrade to 3.6.12 or later

Is CVE-2025-62157 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.6.12, >= 3.7.0, < 3.7.3
• from 0
• from 0
• >= 3.7.0, < 3.7.3
• from 0, < 3.6.12, >= 3.7.0, < 3.7.3

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62157
• PATCHgithub.com/argoproj/argo-workflows
• WEBgithub.com/argoproj/argo-workflows/commit/18ad5138b6bcb2aba04e00b4ec657bc6b8fad8df
• WEBgithub.com/argoproj/argo-workflows/commit/bded09fe4abd37cb98d7fc81b4c14a6f5034e9ab