High CVE in go package used in argoexec

[simrangera99]

Pre-requisites

• I have double-checked my configuration
• I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
• I have searched existing issues and could not find a match for this bug
• I'd like to contribute the fix myself (see contributing guide)

What happened? What did you expect to happen?

In argoproj/argoexec latest image, our security scanner has detected a high severity CVEs introduced through go package. Can we expect this to be patched soon ?

CVE-2025-61725
CVE-2025-61723
CVE-2025-58187

We are using :latest --> https://hub.docker.com/layers/argoproj/argoexec/v3.6.15/images/sha256-1d094825436c558c8ca59e95b8df8d66e7c6d240164454f4bf93e138c678ea80

Version(s)

sha256:1d094825436c558c8ca59e95b8df8d66e7c6d240164454f4bf93e138c678ea80

Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflow that uses private images.

NA

Logs from the workflow controller

kubectl logs -n argo deploy/workflow-controller | grep ${workflow}

Logs from in your workflow's wait container

kubectl logs -n argo -c wait -l workflows.argoproj.io/workflow=${workflow},workflow.argoproj.io/phase!=Succeeded