Github.Com Argoproj Argo-Cd V2 vulnerabilities
46 known vulnerabilities affecting github.com/argoproj_argo-cd_v2.
Total CVEs
46
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH13MEDIUM16UNKNOWN9
Vulnerabilities
Page 2 of 3
CVE-2024-21661P3HIGH≥ 0, < 2.8.13≥ 2.9.0, < 2.9.9+1 more2024-03-18
CVE-2024-21661 [HIGH] CWE-787 Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
### Summary
An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.
ghsaosv
CVE-2024-41666P3HIGHCVSS 7.1≥ 2.6.0, < 2.9.21≥ 2.10.0, < 2.10.16+1 more2024-07-24
CVE-2024-41666 [HIGH] CWE-269 The Argo CD web terminal session does not handle the revocation of user permissions properly
The Argo CD web terminal session does not handle the revocation of user permissions properly
Argo CD v2.11.3 and before, discovering that even if the user's ```p, role:myrole, exec, create, */*, allow``` permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access.
#
ghsaosv
CVE-2022-24730P3UNKNOWN≥ 0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2024-08-21
CVE-2022-24730 Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv
CVE-2024-31990P3MEDIUM≥ 2.4.0, < 2.8.16≥ 2.9.0, < 2.9.12+1 more2024-04-15
CVE-2024-31990 [MEDIUM] CWE-863 Argo CD's API server does not enforce project sourceNamespaces
Argo CD's API server does not enforce project sourceNamespaces
### Impact
I can convince the UI to let me do things with an invalid Application.
1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace
2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps`
3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e.
ghsaosv
CVE-2023-40025P3HIGH≥ 2.6.0, < 2.6.14≥ 2.7.0, < 2.7.12+2 more2023-08-23
CVE-2023-40025 [HIGH] CWE-613 Argo CD web terminal session doesn't expire
Argo CD web terminal session doesn't expire
### Impact
All versions of Argo CD starting from v2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even wh
ghsaosv
CVE-2023-40584P3MEDIUM≥ 2.4.0, < 2.6.15≥ 2.7.0, < 2.7.14+1 more2023-09-11
CVE-2023-40584 [MEDIUM] CWE-400 Argo CD repo-server Denial of Service vulnerability
Argo CD repo-server Denial of Service vulnerability
### Impact
All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exp
ghsaosv
CVE-2023-25163P3MEDIUM≥ 2.6.0-rc1, < 2.6.12023-02-08
CVE-2023-25163 [MEDIUM] CWE-532 Argo CD leaks repository credentials in user-facing error messages and in logs
Argo CD leaks repository credentials in user-facing error messages and in logs
### Impact
All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via
ghsaosv
CVE-2023-50726P3MEDIUM≥ 2.9.0, < 2.9.8≥ 2.10.0, < 2.10.3+1 more2024-03-15
CVE-2023-50726 [MEDIUM] CWE-269 Users with `create` but not `override` privileges can perform local sync
Users with `create` but not `override` privileges can perform local sync
### Impact
"Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.
An improper validation bug all
ghsaosv
CVE-2024-29893P3MEDIUM≥ 2.4.0, < 2.8.14≥ 2.9.0, < 2.9.10+1 more2024-03-29
CVE-2024-29893 [MEDIUM] CWE-400 ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability
ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability
### Impact
All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry.
The loadRepoIndex() functio
ghsaosv
CVE-2025-23216P4MEDIUM≥ 2.13.0, < 2.13.4≥ 2.12.0, < 2.12.10+1 more2025-01-30
CVE-2025-23216 [MEDIUM] CWE-200 Argo CD does not scrub secret values from patch errors
Argo CD does not scrub secret values from patch errors
### Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to
ghsaosv
CVE-2022-31016P4MEDIUM≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31016 [MEDIUM] CWE-400 DoS through large manifest files in Argo CD
DoS through large manifest files in Argo CD
### Impact
All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies c
ghsaosv
CVE-2024-32476P4MEDIUM≥ 2.10.0, < 2.10.8≥ 2.9.0, < 2.9.13+1 more2024-04-26
CVE-2024-32476 [MEDIUM] CWE-400 Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
### Impact
DoS vuln via OOM using jq in ignoreDifferences.
```
ignoreDifferences:
- group: apps
kind: Deployment
jqPathExpressions:
- 'until(true == false; [.] + [1])'
```
### Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.
ghsaosv
CVE-2025-55191P4MEDIUM≥ 2.1.0, < 2.14.202025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 Repository Credentials Race Condition Crashes Argo CD Server
Repository Credentials Race Condition Crashes Argo CD Server
### Summary
A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.
### Details
The vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepo
ghsaosv
CVE-2022-24731P4UNKNOWN≥ 0, < 2.1.11≥ 2.2.0, < 2.2.6+1 more2024-08-21
CVE-2022-24731 Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd
osv
CVE-2022-31102P4UNKNOWN≥ 2.3.0, < 2.3.6≥ 2.4.0, < 2.4.52024-08-21
CVE-2022-31102 Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd
osv
CVE-2025-47933P4CRITICAL≥ 2.0.0-rc3, < 2.13.8≥ 2.14.0-rc1, < 2.14.132025-05-28
CVE-2025-47933 [CRITICAL] CWE-79 Argo CD allows cross-site scripting on repositories page
Argo CD allows cross-site scripting on repositories page
### Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In `ui/src/app/s
ghsaosv
CVE-2022-31035P4CRITICAL≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31035 [CRITICAL] CWE-79 Argo CD's external URLs for Deployments can include JavaScript
Argo CD's external URLs for Deployments can include JavaScript
### Impact
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin).
The script would be capable of doing an
ghsaosv
CVE-2024-28175P4CRITICAL≥ 2.9.0, < 2.9.8≥ 2.10.0, < 2.10.3+1 more2024-03-15
CVE-2024-28175 [CRITICAL] CWE-79 Cross-site scripting on application summary component
Cross-site scripting on application summary component
### Summary
Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions.
### Impact
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing
ghsaosv
CVE-2022-41354P4MEDIUM≥ 2.5.0, < 2.5.16≥ 2.6.0, < 2.6.7+1 more2023-03-23
CVE-2022-41354 [MEDIUM] CWE-203 Argo CD authenticated but unauthorized users may enumerate Application names via the API
Argo CD authenticated but unauthorized users may enumerate Application names via the API
### Impact
All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another att
ghsaosv
CVE-2022-31036P4MEDIUM≥ 0, < 2.1.16≥ 2.2.0, < 2.2.10+2 more2022-06-21
CVE-2022-31036 [MEDIUM] CWE-20 Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
### Impact
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server.
A malicious Argo CD user with write access for a repository which is (or may be)
ghsaosv