Critical Security Risks in Litmus via Outdated Argo Dependencies (incl. CVE-2025-32445 PrivEsc + unmaintained gnostic protobuf library)

[nXtCyberNet]

trivy-argo.json

Summary

Critical supply-chain & transitive vulnerability risk: LitmusChaos inherits outdated dependencies from older Argo Workflows versions (e.g., v3.3.x / v3.4.x era), including the archived/unmaintained github.com/google/gnostic protobuf/OpenAPI library (no security updates; replaced by maintained github.com/google/gnostic-models in Argo v3.5+ / v4.0.x+).

Trivy scans reveal CRITICAL privilege escalation (CVE-2025-32445 in Argo Events transitive deps) and multiple HIGH/CRITICAL issues in Go stdlib, x/crypto, net/http, etc.

CVE-2025-32445 allows users with limited permissions (e.g., create EventSource/Sensor CRs) to inject malicious containers → gain privileged host/cluster access, breaking isolation in multi-tenant setups.

Severity: Critical (CVSS ~9.9; actively exploitable risk).

---

Details

• github.com/google/gnostic is deprecated/archived → no future security patches.
• Argo Workflows migrated to github.com/google/gnostic-models in v3.5.x+.
• Litmus uses Argo Workflows → older versions propagate vulnerable dependencies.

Key Findings (Trivy Scan)

• CVE-2025-32445 (CRITICAL) – Argo Events PrivEsc → host compromise
• CVE-2022-1996 (CRITICAL) – go-restful auth bypass
• CVE-2024-45337 (CRITICAL) – golang.org/x/crypto SSH issue
• Multiple HIGH/CRITICAL issues in Go stdlib (net/http, crypto/tls, html/template)

---

PoC / Reproduction Steps & Testing Commands

Run the following in a cloned Litmus repo or your deployed cluster.

1. Check for unmaintained gnostic dependency

go list -m all | grep gnostic

Expected (vulnerable):

github.com/google/gnostic v0.x.x

---

2. Scan dependencies using Trivy

trivy fs . \
  --vuln-type library \
  --scanners vuln \
  --severity CRITICAL,HIGH \
  --format table

JSON output (attach to issue):

trivy fs . \
  --vuln-type library \
  --scanners vuln \
  --severity CRITICAL,HIGH \
  -f json -o trivy-litmus-deps.json

Expected snippet:

Library                          Vulnerability      Severity
argo-events                      CVE-2025-32445     CRITICAL
emicklei/go-restful              CVE-2022-1996      CRITICAL
golang.org/x/crypto              CVE-2024-45337     CRITICAL

---

3. Check Argo Workflow Controller image version

kubectl get pods -n litmus \
  -l app.kubernetes.io/name=workflow-controller \
  -o jsonpath='{.items[0].spec.containers[0].image}'

Expected (vulnerable):

argoproj/workflow-controller:v3.3.x

---

4. Scan Argo image directly

trivy image argoproj/workflow-controller:v3.3.5 \
  --severity CRITICAL,HIGH \
  --scanners vuln

Expected: multiple CRITICAL/HIGH vulnerabilities.

---

5. Verify after upgrade (sanity check)

go list -m all | grep gnostic

Expected (fixed):

(no output)

---

Impact

• Privilege escalation → cluster/host compromise
• Potential DoS and auth bypass
• CI/CD security scan failures
• Affects production Litmus deployments using Argo

---

Remediation Suggestion

Upgrade Argo Workflows to ≥ v3.5.5 (recommended: latest v4.x):

• Removes gnostic, replaces with maintained models
• Fixes CVE-2025-32445 via Argo Events ≥ v1.9.6
• Updates vulnerable Go dependencies

Steps

1. Update Argo images in Helm/manifests
2. Update Go modules and run go mod tidy
3. Re-scan using Trivy
4. Validate workflows
5. Add dependency automation (Dependabot/Renovate)

---

Labels

kind/security
area/dependencies
priority/critical

---

Notes

Attach full Trivy JSON report and command outputs for verification.

[nXtCyberNet]

If the maintainers consider this change necessary, I’d be happy to work on upgrading the dependencies and submit a PR with proper validation.