SecuriTricks - CVE-2025-47933

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

Product(s) Impacted

Vendor	Product	Versions
Argoproj	Argo Cd	2.13.8, 2.14.13, 3.0.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	argoproj	argo_cd	2.13.8	/	/	/	/	/	/	/
a	argoproj	argo_cd	2.14.13	/	/	/	/	/	/	/
a	argoproj	argo_cd	3.0.4	/	/	/	/	/	/	/

References

https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1

https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p

CVSS Score

9.0 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

View Vector String

Timeline

Published: May 29, 2025, 8:15 p.m.
Last Modified: May 30, 2025, 4:31 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-47933