DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-32445: Escaping the Event Loop: Complete Cluster Compromise in Argo Events

#security #cve #cybersecurity

Escaping the Event Loop: Complete Cluster Compromise in Argo Events

Vulnerability ID: CVE-2025-32445
CVSS Score: 9.9
Published: 2025-04-15

A critical privilege escalation vulnerability in Argo Events allows users with limited namespace access to inject arbitrary container specifications, leading to root-level node compromise and cluster takeover.

TL;DR

Argo Events allowed users to define the full Kubernetes Container spec in EventSources and Sensors. This meant anyone who could create an event listener could also define command, args, and privileged: true, effectively granting them a root shell on the underlying node. Fixed in v1.9.6 by sanitizing the API.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (API)
  • Privileges Required: Low (Namespace Edit)
  • CVSS v3.1: 9.9 (Critical)
  • CWE: CWE-250: Execution with Unnecessary Privileges
  • Impact: Cluster Admin / Host Root
  • Patch Status: Released (v1.9.6)

Affected Systems

  • Argo Events Controller
  • Kubernetes Clusters running Argo Events < 1.9.6
  • argo-events: < 1.9.6 (Fixed in: 1.9.6)

Code Analysis

Commit: 1841229

fix: restrict container fields in sensor and eventsource

Removing command, args, and image fields from user-facing CRD struct
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Constructing a CRD with 'command: ["/bin/sh"]' and 'privileged: true' demonstrates the flaw.

Mitigation Strategies

  • Upgrade Argo Events to v1.9.6 or later immediately.
  • Implement Kubernetes Pod Security Standards (PSS) at the 'Restricted' level to block privileged containers.
  • Use Admission Controllers (OPA/Kyverno) to deny creation of EventSources/Sensors with 'hostPath' volumes.

Remediation Steps:

  1. Identify the current version of Argo Events running in the cluster: kubectl get deployment -n argo-events.
  2. Apply the update manifest: kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-events/stable/manifests/install.yaml.
  3. Verify the controller pod has restarted and is running the new image.
  4. Audit existing EventSource and Sensor resources for suspicious container overrides.

References

Read the full report for CVE-2025-32445 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)