How severe is CVE-2025-32445?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.9 out of 10.

What type of vulnerability is CVE-2025-32445?

This is classified as CWE-250, which is a common weakness in software security.

CVE-2025-32445 - CRITICAL Severity | CVSS 9.9

Vulnerability Description

Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6.

Related Vulnerabilities

CVE-2024-3330

CRITICAL

CVSS:9.9(Critical)

Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server, Spotfire Spotfire for AWS Marketplace allows In the case of the installed Windows client: Successful execution of this vulnerabili...

CWE-2502024

CVE-2024-8767

CRITICAL

CVSS:9.9(Critical)

Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backu...

CWE-2502024

CVE-2021-41035

CRITICAL

CVSS:9.8(Critical)

In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

CWE-2502021

CVE-2022-1517

CRITICAL

CVSS:9.8(Critical)

LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations,...

CWE-2502022

CVE-2022-2634

CRITICAL

CVSS:9.8(Critical)

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which...

CWE-2502022

CVE-2022-32535

CRITICAL

CVSS:9.8(Critical)

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.

CWE-2502022