CRITICAL🇵🇱 Wersja polska

CVE-2025-32445

CVSS 9.9v3.1pub. 2025-04-15upd. 2026-04-15

Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.

🤖 AI Analysis
How it works

EventSource and Sensor resources allow customization of associated pod configuration through spec.template and spec.template.container fields, which accept a full container specification conforming to the k8s.io/api/core/v1.Container type. An attacker can use these fields to specify parameters such as command, args, securityContext, or volumeMount for the running pod. Appropriately constructed properties in the template section allow launching a container with elevated privileges, effectively granting access to host resources and the entire cluster. This is a typical case of CWE-250 — excessive privileges granted to a process or component.

Impact

An attacker can obtain privileged access to the Kubernetes cluster host system, potentially taking full control of the cluster — leading to violations of confidentiality, integrity, and availability of data and resources.

Mitigation & patch

Argo Events should be updated to version v1.9.6, where the vulnerability was fixed. A patch is available in the project repository (commit 18412293a699f559848b00e6e459c9ce2de0d3e2). Additionally, it is recommended to review and restrict RBAC permissions for creating/modifying EventSource and Sensor resources to trusted users only.

Who is affected

Argo Events in versions prior to v1.9.6, where users have permissions to create or modify EventSource and Sensor resources.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References