CVE-2025-47933
published 2025-05-29CVE-2025-47933: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.41%
32.8th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | — | — |
| argoproj | argo_cd | >= 1.2.1 < 2.13.8 | 2.13.8 |
| argoproj | argo_cd | >= 2.14.0 < 2.14.13 | 2.14.13 |
| argoproj | argo_cd | >= 3.0.0 < 3.0.4 | 3.0.4 |
| github.com | argoproj_argo-cd | 1.2.0-rc1 – 1.8.7 | — |
| github.com | argoproj_argo-cd | >= 1.2.0-rc1 | — |
| github.com | argoproj_argo-cd_v2 | >= 2.0.0-rc3 < 2.13.8 | 2.13.8 |
| github.com | argoproj_argo-cd_v2 | >= 2.14.0-rc1 < 2.14.13 | 2.14.13 |
| github.com | argoproj_argo-cd_v3 | >= 0 < 3.0.4 | 3.0.4 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd
osv·2025-05-29
CVE-2025-47933 Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd
Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd
Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd
OSV
Argo CD allows cross-site scripting on repositories page
osv·2025-05-28
CVE-2025-47933 [CRITICAL] Argo CD allows cross-site scripting on repositories page
Argo CD allows cross-site scripting on repositories page
### Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In `ui/src/app/shared/components/urls.ts`, the following code exists to parse the repository URL.
https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26
Since this code doesn't validate the protocol of repository URLs, it's possible to inject `javascript:` URLs here.
https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f
GHSA
Argo CD allows cross-site scripting on repositories page
ghsa·2025-05-28
CVE-2025-47933 [CRITICAL] CWE-79 Argo CD allows cross-site scripting on repositories page
Argo CD allows cross-site scripting on repositories page
### Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In `ui/src/app/shared/components/urls.ts`, the following code exists to parse the repository URL.
https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26
Since this code doesn't validate the protocol of repository URLs, it's possible to inject `javascript:` URLs here.
https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f
Red Hat
argocd: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS)
vendor_redhat·2025-05-28·CVSS 9.0
CVE-2025-47933 [CRITICAL] CWE-79 argocd: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS)
argocd: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS)
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.
A flaw was found in Argo CD, where improper filtering of repository URLs in the UI allows JavaScript injection. A crafted javascript: link can lead to cross-site scripting when viewed by another user. This can result in unauthorized API actions via the victim's session.
Package:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-29
Published