seclog: [HIGH] Multiple Critical Dependencies with Known Vulnerabilities Detected

[mert2m]

Summary

Trivy scan found 5 HIGH severity CVEs in our dependencies. Argo Workflows v3.3.5 has a zip slip bug and leaks credentials. path-to-regexp 1.8.0 has a ReDoS issue that can crash the web app.

Details

Found these while running security scans:

Argo Workflows (v3.3.5 → need v3.6.12+)

• CVE-2025-62156: Zip slip vulnerability - attacker can write files outside intended directories
• CVE-2025-62157: Credentials get exposed in some scenarios

Affected files:

• chaoscenter/graphql/server/go.mod
• chaoscenter/subscriber/go.mod

path-to-regexp (1.8.0 → need 1.9.0+)

• CVE-2024-45296: ReDoS bug - malicious URLs can hang the app

Affected:

• chaoscenter/web/yarn.lock

PoC

Run trivy to see it yourself:

trivy fs . --severity HIGH,CRITICAL

You'll see 2 vulns in graphql/server, 2 in subscriber, and 1 in web.

Impact

• Zip slip = potential RCE or file system tampering
• Credential leak = unauthorized access to artifact repos
• ReDoS = web app can be DoS'd with crafted requests

All production deployments are affected.

Remediation

Quick fix - just bump the versions:

Fix argo workflows

cd chaoscenter/graphql/server
go get github.com/argoproj/argo-workflows/v3@v3.6.12
go mod tidy

cd ../../../chaoscenter/subscriber
go get github.com/argoproj/argo-workflows/v3@v3.6.12
go mod tidy

Fix path-to-regexp

cd ../web
yarn upgrade path-to-regexp@^1.9.0

Verify with trivy fs . --severity HIGH,CRITICAL afterwards.

[PriteshKiri]

Hey @mert2m

Thanks for raising the issue. Would you be interested in raising the PR for the same?

[Pratham1812]

Hey Team, Can I take this up? I have done the changes in the packages requested above.

[PriteshKiri]

Sure @Pratham1812
Assigned!!

[Pratham1812]

Hey team another vulnerability was identified by the tool in github.com/sirupsen/logrus v1.4.2 as identified in CVE-2025-65637

Affected files - chaoscenter/upgrade-agents/control-plane/go.mod
I am also upgrading this dependency.