Weak credential policy In github.com/argoproj/argo-workflows/v4
Description
Argo vulnerable to exposure of artifact repository credentials
Summary
The workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials.
Note: This is an incomplete fix of CVE-2025-62157
Details
The logging driver passes the entire ArtifactDriver struct to the structured logger, for example: https://github.com/argoproj/argo-workflows/blob/59f1089b9875723ddffd524513e6bd5cb37e5e31/workflow/artifacts/logging/driver.go#L24
Exposed credential fields:
S3 (workflow/artifacts/s3/s3.go): AccessKey, SecretKey, SessionToken, ServerSideCustomerKey
OSS (workflow/artifacts/oss/oss.go): AccessKey, SecretKey, SecurityToken
GCS (workflow/artifacts/gcs/gcs.go): ServiceAccountKey
PoC
Create template
apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: name: cred-leak-test namespace: argo spec: entrypoint: main templates:...
Then check the logs
kubectl -n argo logs "cred-leak-test" -c wait
Impact
Any user with Kubernetes RBAC permissions to read pod logs in the workflow namespace can extract artifact repository credentials.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 4.0.5 |
Aliases
References