CVE-2025-32445: Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
(updated )
A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.
References
- github.com/advisories/GHSA-hmp7-x699-cvhq
- github.com/argoproj/argo-events
- github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2
- github.com/argoproj/argo-events/pull/3528
- github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq
- nvd.nist.gov/vuln/detail/CVE-2025-32445
- pkg.go.dev/vuln/GO-2025-3608
Code Behaviors & Features
Detect and mitigate CVE-2025-32445 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →