Directory Traversal
Description
Directory Traversal in Argo Events GitArtifactReader allows arbitrary file reads via symlinks or path traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory Traversal in Argo Events GitArtifactReader allows arbitrary file reads via symlinks or path traversal.
Vulnerability
Overview CVE-2022-25856 is a directory traversal vulnerability in the (g *GitArtifactReader).Read() API in git.go of the Argo Events package github.com/argoproj/argo-events/sensors/artifacts before version 1.7.1 [2]. The flaw allows an attacker to read arbitrary files on the host system by providing a pathname containing symbolic links or implicit directory names such as .. [1].
Exploitation
Methods An attacker can exploit this vulnerability in at least three ways: (1) by controlling a Git repository that the victim uses as a trigger source and including a symbolic link pointing to a sensitive file, (2) by leveraging a race condition between the creation of a temporary directory and file read operations to substitute a symbolic link, or (3) by crafting a malicious manifest with a filePath pointing to an arbitrary file [4]. No authentication is required if the attacker can supply the Git repository or manifest.
Impact
Successful exploitation enables an attacker to read arbitrary files on the victim's filesystem, potentially exposing sensitive information such as credentials, configuration files, or application source code [3]. This could lead to further compromise of the Argo Events environment.
Mitigation
The vulnerability is fixed in version 1.7.1 of the github.com/argoproj/argo-events/sensors/artifacts package [1]. Users should upgrade to this version or later. No workarounds are documented, and the issue has been publicly disclosed with no reports of active exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-eventsGo | < 1.7.1 | 1.7.1 |
Affected products
2- github.com/argoproj/argo-events/sensors/artifactsdescription
Patches
1d0f66dbce78bfix: git artifactory arbitrary file read issue (#1965)
1 file changed · +34 −2
sensors/artifacts/git.go+34 −2 modified@@ -20,6 +20,8 @@ import ( "fmt" "io/ioutil" "os" + "path" + "strings" "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/config" @@ -44,6 +46,8 @@ var ( "refs/*:refs/*", "HEAD:refs/heads/HEAD", } + + notAllowedInPath = []string{"..", "~", "\\"} ) type GitArtifactReader struct { @@ -52,6 +56,15 @@ type GitArtifactReader struct { // NewGitReader returns a new git reader func NewGitReader(gitArtifact *v1alpha1.GitArtifact) (*GitArtifactReader, error) { + if gitArtifact == nil { + return nil, fmt.Errorf("nil git artifact") + } + for _, na := range notAllowedInPath { + if strings.Contains(gitArtifact.FilePath, na) { + return nil, fmt.Errorf("%q is not allowed in the filepath", na) + } + } + return &GitArtifactReader{ artifact: gitArtifact, }, nil @@ -176,8 +189,16 @@ func (g *GitArtifactReader) readFromRepository(r *git.Repository, dir string) ([ return nil, fmt.Errorf("failed to pull latest updates. err: %+v", err) } } - - return ioutil.ReadFile(fmt.Sprintf("%s/%s", dir, g.artifact.FilePath)) + filePath := fmt.Sprintf("%s/%s", dir, g.artifact.FilePath) + // symbol link is not allowed due to security concern + isSymbolLink, err := isSymbolLink(filePath) + if err != nil { + return nil, err + } + if isSymbolLink { + return nil, fmt.Errorf("%q is a symbol link which is not allowed", g.artifact.FilePath) + } + return ioutil.ReadFile(filePath) } func (g *GitArtifactReader) getBranchOrTag() *git.CheckoutOptions { @@ -241,3 +262,14 @@ func (g *GitArtifactReader) Read() ([]byte, error) { } return g.readFromRepository(r, cloneDir) } + +func isSymbolLink(filepath string) (bool, error) { + fi, err := os.Lstat(path.Clean(filepath)) + if err != nil { + return false, err + } + if fi.Mode()&os.ModeSymlink != 0 { + return true, nil + } + return false, nil +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qpgx-64h2-gc3cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25856ghsaADVISORY
- github.com/argoproj/argo-events/commit/d0f66dbce78bc31923ca057b20fc722aa24ca961ghsax_refsource_MISCWEB
- github.com/argoproj/argo-events/issues/1947ghsax_refsource_MISCWEB
- github.com/argoproj/argo-events/pull/1965ghsaWEB
- github.com/argoproj/argo-events/security/advisories/GHSA-qpgx-64h2-gc3cghsaWEB
- pkg.go.dev/vuln/GO-2022-0492ghsaWEB
- snyk.io/vuln/SNYK-GOLANG-GITHUBCOMARGOPROJARGOEVENTSSENSORSARTIFACTS-2864522ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.