Moderate severityNVD Advisory· Published Oct 28, 2024· Updated Apr 4, 2025
Argo Workflows Controller: Denial of Service via malicious daemon Workflows
CVE-2024-47827
Description
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-workflows/v3Go | >= 3.6.0-rc1, < 3.6.0-rc2 | 3.6.0-rc2 |
Affected products
1- Range: >= 3.6.0-rc1, < 3.6.0-rc2
Patches
1524406451f4dfix: Prevent data race from global metrics round-tripper (#13641)
1 file changed · +8 −6
workflow/metrics/metrics_k8s_request.go+8 −6 modified@@ -38,15 +38,19 @@ func addK8sRequests(_ context.Context, m *Metrics) error { return err } +type metricsRoundTripperContext struct { + ctx context.Context + metrics *Metrics +} + type metricsRoundTripper struct { - ctx context.Context + *metricsRoundTripperContext roundTripper http.RoundTripper - metrics *Metrics } // This is a messy global as we need to register as a roundtripper before // we can instantiate metrics -var k8sMetrics metricsRoundTripper +var k8sMetrics metricsRoundTripperContext func (m metricsRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) { startTime := time.Now() @@ -71,9 +75,7 @@ func AddMetricsTransportWrapper(ctx context.Context, config *rest.Config) *rest. if wrap != nil { rt = wrap(rt) } - k8sMetrics.ctx = ctx - k8sMetrics.roundTripper = rt - return &k8sMetrics + return &metricsRoundTripper{roundTripper: rt, metricsRoundTripperContext: &k8sMetrics} } return config }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-ghjw-32xw-ffwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47827ghsaADVISORY
- github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.goghsax_refsource_MISCWEB
- github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309aghsax_refsource_MISCWEB
- github.com/argoproj/argo-workflows/pull/13641ghsax_refsource_MISCWEB
- github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.