Platform
go
Component
github.com/argoproj/argo-cd
Fixed in
1.2.1
2.0.1
2.14.1
3.0.1
1.8.8
CVE-2025-47933 describes a Cross-Site Scripting (XSS) vulnerability discovered in Argo CD, specifically affecting the repositories page. This vulnerability allows attackers to inject malicious scripts, potentially compromising user sessions and sensitive data. The vulnerability impacts versions of Argo CD prior to 3.0.4, and a patch has been released to address the issue.
The XSS vulnerability in Argo CD's repositories page allows an attacker to inject arbitrary JavaScript code into the page. When a user visits the compromised page, the malicious script executes in their browser context, with the same privileges as the user. This can lead to several severe consequences, including session hijacking, where the attacker gains control of the user's account. Sensitive data, such as API keys, credentials, and application secrets stored within Argo CD, could also be exposed. Furthermore, an attacker could potentially leverage this vulnerability to perform actions on behalf of the user, such as modifying application deployments or accessing sensitive repositories.
CVE-2025-47933 was publicly disclosed on 2025-05-29. There is currently no indication of active exploitation in the wild, but the vulnerability's CRITICAL severity and ease of exploitation suggest a high likelihood of future attacks. No Proof-of-Concept (PoC) code has been publicly released as of this writing. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47933 is to upgrade Argo CD to version 3.0.4 or later, which includes the necessary fix. If immediate upgrade is not feasible, consider implementing strict input validation and output encoding on the repositories page to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review Argo CD's access controls and ensure that users only have the necessary permissions to perform their tasks.
Update Argo CD to version 2.13.8, 2.14.13 or 3.0.4, or a later version. This fixes the cross-site scripting vulnerability on the repositories page. The update can be performed through the Argo CD user interface or via the command line.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47933 is a CRITICAL XSS vulnerability in Argo CD's repositories page, allowing attackers to inject malicious scripts and potentially compromise user sessions and data.
If you are running Argo CD versions prior to 3.0.4, you are vulnerable to this XSS attack. Immediately assess your environment and apply the necessary patch.
The recommended fix is to upgrade Argo CD to version 3.0.4 or later. If immediate upgrade is not possible, implement input validation and WAF rules as temporary mitigations.
As of the current date, there is no confirmed evidence of active exploitation in the wild, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the official Argo CD security advisory for detailed information and updates regarding CVE-2025-47933: [https://argoproj.github.io/cd/security/](https://argoproj.github.io/cd/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.