CVE-2025-47933: Argo CD allows cross-site scripting on repositories page

May 28, 2025 (updated May 29, 2025)

This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository.

In ui/src/app/shared/components/urls.ts, the following code exists to parse the repository URL.

References

github.com/advisories/GHSA-2hj5-g64g-fp6p
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1
github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p
nvd.nist.gov/vuln/detail/CVE-2025-47933

Code Behaviors & Features

Detect and mitigate CVE-2025-47933 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →