Description

Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.

INFO

Published Date :

2025-04-15T19:22:36.051Z

Last Modified :

2025-04-15T20:07:10.640Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-32445 vulnerability.

Vendors Products
Argoproj
  • Argo Events
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-32445.

URL Resource
https://github.com/argoproj/argo-events cve-icon
https://github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2 cve-icon cve-icon cve-icon
https://github.com/argoproj/argo-events/pull/3528 cve-icon
https://github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-32445 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-32445 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact