CVE-2025-47933

Source
https://cve.org/CVERecord?id=CVE-2025-47933
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47933.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-47933
Aliases
Downstream
Related
Published
2025-05-29T19:30:39.108Z
Modified
2026-07-08T07:20:52.538551959Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Argo CD allows cross-site scripting on repositories page
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47933.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": [
        "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:argoproj:argo_cd:1.2.0:rc2:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "1.2.1"
        },
        {
            "fixed": "2.13.8"
        },
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.13"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.4"
        },
        {
            "introduced": "1.2.0-rc1"
        },
        {
            "last_affected": "1.2.0-rc1"
        },
        {
            "introduced": "1.2.0-rc2"
        },
        {
            "last_affected": "1.2.0-rc2"
        }
    ]
}

Affected versions

1.*
1.2.0-rc1
1.2.0-rc2
v2.*
v2.14.0
v2.14.1
v2.14.10
v2.14.11
v2.14.12
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.14.8
v2.14.9
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47933.json"