GHSA-2hj5-g64g-fp6p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2hj5-g64g-fp6p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2hj5-g64g-fp6p/GHSA-2hj5-g64g-fp6p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2hj5-g64g-fp6p
- Aliases
- Related
- Published
- 2025-05-28T17:36:32Z
- Modified
- 2025-05-31T06:27:09.890132Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Argo CD allows cross-site scripting on repositories page
- Details
-
Impact
This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.
In
ui/src/app/shared/components/urls.ts, the following code exists to parse the repository URL.https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26
Since this code doesn't validate the protocol of repository URLs, it's possible to inject
javascript:URLs here.https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7
As the return value of this function is used in the
hrefattribute of theatag, it's possible to achieve cross-site scripting by usingjavascript:URLs.Browsers may return the proper hostname for
javascript:URLs, allowing exploitation of this vulnerability.Patches
A patch for this vulnerability has been released in the following Argo CD versions: - v3.0.4 - v2.14.13 - v2.13.8
The patch incorporates a way to validate the URL being passed in. Returning
nullif the validation fails.Workarounds
There are no workarounds other than depending on the browser to filter the URL.
Credits
Disclosed by @Ry0taK RyotaK.
For more information
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
- Database specific
{ "nvd_published_at": "2025-05-29T20:15:27Z", "cwe_ids": [ "CWE-79" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-28T17:36:32Z" }- References
Affected packages
Go / github.com/argoproj/argo-cd
Package
- Name
- github.com/argoproj/argo-cd
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v3
Package
- Name
- github.com/argoproj/argo-cd/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v3