Vulnerabilites in v3.6.2

[bedla]

Pre-requisites

• I have double-checked my configuration
• I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
• I have searched existing issues and could not find a match for this bug
• I'd like to contribute the fix myself (see contributing guide)

What happened? What did you expect to happen?

Hi,
Trivy scanner reports some vulnerabilites with CRITICAL and HIGH severity. Are they false positives, or is there a plan to mitigate them?
Thank you
Ivos

argoproj/workflow-controller
CRITICAL https://avd.aquasec.com/nvd/cve-2024-45337
HIGH https://avd.aquasec.com/nvd/cve-2024-45338

argoproj/argocli
CRITICAL https://avd.aquasec.com/nvd/cve-2024-45337
CRITICAL https://avd.aquasec.com/nvd/cve-2025-21613
HIGH https://avd.aquasec.com/nvd/cve-2024-45338
HIGH https://avd.aquasec.com/nvd/cve-2025-21614

Version(s)

v3.6.2

Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflow that uses private images.

none

Logs from the workflow controller

kubectl logs -n argo deploy/workflow-controller | grep ${workflow}

Logs from in your workflow's wait container

kubectl logs -n argo -c wait -l workflows.argoproj.io/workflow=${workflow},workflow.argoproj.io/phase!=Succeeded

[Joibel]

I will address this in the next release: 3.6.3

Snyk scan: https://github.com/argoproj/argo-workflows/actions/runs/13201714305/job/36855086469 is now clear, it was previously reporting these.

[bedla]

thank you