CVE-2025-47933

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1	Patch
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p	Third Party Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd:1.2.0:rc1::::::
	cpe:2.3:a:argoproj:argo_cd:1.2.0:rc2::::::

History

27 Aug 2025, 02:28

Type	Values Removed	Values Added
CPE		cpe:2.3:a:argoproj:argo_cd:::::::: cpe:2.3:a:argoproj:argo_cd:1.2.0:rc1:::::: cpe:2.3:a:argoproj:argo_cd:1.2.0:rc2::::::
References	~~() https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1 -~~	() https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1 - Patch
References	~~() https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p -~~	() https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p - Third Party Advisory, Patch
First Time		Argoproj Argoproj argo Cd

30 May 2025, 16:31

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-29 20:15

Updated : 2025-08-27 02:28

NVD link : CVE-2025-47933

Mitre link : CVE-2025-47933

CVE.ORG link : CVE-2025-47933

JSON object : View

Products Affected

argoproj

argo_cd

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-47933", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-05-29T20:15:27.473", "references": [{"url": "https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p", "tags": ["Third Party Advisory", "Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4."}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. En versiones anteriores a las 2.13.8, 2.14.13 y 3.0.4, un atacante pod\u00eda realizar acciones arbitrarias en nombre de la v\u00edctima a trav\u00e9s de la API. Debido al filtrado incorrecto de los protocolos de URL en la p\u00e1gina del repositorio, un atacante puede realizar ataques de cross-site scripting con permiso para editar el repositorio. Este problema se ha corregido en las versiones 2.13.8, 2.14.13 y 3.0.4."}], "lastModified": "2025-08-27T02:28:01.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEB6AB4D-CAF5-43BF-9362-35FA59D22980", "versionEndExcluding": "2.13.8", "versionStartIncluding": "1.2.1"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8AA903B-D9F7-4678-B437-2210CE881CD0", "versionEndExcluding": "2.14.13", "versionStartIncluding": "2.14.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E53FAABC-D715-451D-ABAE-F04B19AA99CD", "versionEndExcluding": "3.0.4", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA998D51-81E0-475F-8ABE-1CB42F848B8E"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47306D25-C476-4E30-BEA7-0151CF31F5D7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}