logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-47933 github.com/argoproj/argo-cd

Package

Manager: go
Name: github.com/argoproj/argo-cd
Vulnerable Version: >=1.2.0-rc1 <=1.8.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00017 pctl0.02862

Details

Argo CD allows cross-site scripting on repositories page ### Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In `ui/src/app/shared/components/urls.ts`, the following code exists to parse the repository URL. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26 Since this code doesn't validate the protocol of repository URLs, it's possible to inject `javascript:` URLs here. https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7 As the return value of this function is used in the `href` attribute of the `a` tag, it's possible to achieve cross-site scripting by using `javascript:` URLs. Browsers may return the proper hostname for `javascript:` URLs, allowing exploitation of this vulnerability. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: - v3.0.4 - v2.14.13 - v2.13.8 The patch incorporates a way to validate the URL being passed in. Returning `null` if the validation fails. ### Workarounds There are no workarounds other than depending on the browser to filter the URL. ### Credits Disclosed by @Ry0taK [RyotaK](https://ryotak.net). ### For more information Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd

Metadata

Created: 2025-05-28T17:36:32Z
Modified: 2025-05-29T21:59:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2hj5-g64g-fp6p/GHSA-2hj5-g64g-fp6p.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2hj5-g64g-fp6p
Finding: F008
Auto approve: 1