cbcvebase.
CVE-2025-32445
published 2025-04-15

CVE-2025-32445: Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources…

PriorityP261critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.67%
47.4th percentile
Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
argoprojargo-events< 1.9.61.9.6
github.comargoproj_argo-events>= 0 < 1.9.61.9.6

Detection & IOCsextracted from sources · hover to see the quote

  • Look for EventSource or Sensor custom resources with suspicious spec.template.container fields such as command, args, securityContext, or volumeMount that could indicate privilege escalation attempts
  • Audit Kubernetes RBAC for users/service accounts with create/update/patch permissions on EventSource and Sensor custom resources in argo-events, as these permissions are sufficient to exploit this vulnerability
  • Monitor for EventSource or Sensor pods spawned with privileged securityContext settings or host path volume mounts, which may indicate active exploitation of this vulnerability
  • ·The vulnerability is fixed in v1.9.6; deployments running argo-events prior to this version are affected and should be upgraded
  • ·Red Hat OpenShift AI (RHOAI) components (odh-data-science-pipelines-argo-argoexec and odh-data-science-pipelines-argo-workflowcontroller) are NOT affected because argo-events (EventSource CRD) is not deployed in that environment

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.