CVE-2025-32445
published 2025-04-15CVE-2025-32445: Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources…
PriorityP261critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.67%
47.4th percentile
Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-events | < 1.9.6 | 1.9.6 |
| github.com | argoproj_argo-events | >= 0 < 1.9.6 | 1.9.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for EventSource or Sensor custom resources with suspicious spec.template.container fields such as command, args, securityContext, or volumeMount that could indicate privilege escalation attempts ↗
- →Audit Kubernetes RBAC for users/service accounts with create/update/patch permissions on EventSource and Sensor custom resources in argo-events, as these permissions are sufficient to exploit this vulnerability ↗
- →Monitor for EventSource or Sensor pods spawned with privileged securityContext settings or host path volume mounts, which may indicate active exploitation of this vulnerability ↗
- ·The vulnerability is fixed in v1.9.6; deployments running argo-events prior to this version are affected and should be upgraded ↗
- ·Red Hat OpenShift AI (RHOAI) components (odh-data-science-pipelines-argo-argoexec and odh-data-science-pipelines-argo-workflowcontroller) are NOT affected because argo-events (EventSource CRD) is not deployed in that environment ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events
osv·2025-04-22
CVE-2025-32445 Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR in github.com/argoproj/argo-events
OSV
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
osv·2025-04-14
CVE-2025-32445 [CRITICAL] Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
### Summary:
A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.
### Details:
The `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below.
```golang
if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.C
GHSA
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
ghsa·2025-04-14
CVE-2025-32445 [CRITICAL] CWE-250 Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
### Summary:
A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.
### Details:
The `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below.
```golang
if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.C
Red Hat
argo-events: Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
vendor_redhat·2025-04-14·CVSS 9.9
CVE-2025-32445 [CRITICAL] CWE-268 argo-events: Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
argo-events: Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-15
Published