CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Dashboard
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-47933
9.10.01%

GitOps to PwnOps: Deconstructing the Argo CD Stored XSS (CVE-2025-47933)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 6, 2026·6 min read·26 visits

PoC Available

Executive Summary (TL;DR)

Improper protocol sanitization in Argo CD's repository management UI allows a malicious actor to inject `javascript:` payloads into repository URLs. When an administrator clicks the link, the payload executes, granting the attacker full control over the Argo CD API and the managed Kubernetes clusters. Patch immediately to 2.13.8+, 2.14.13+, or 3.0.4+.

A critical Stored Cross-Site Scripting (XSS) vulnerability in the Argo CD web interface allows attackers with repository edit permissions to execute arbitrary JavaScript in the context of other users, potentially leading to full Kubernetes cluster compromise via the API.

Official Patches

Argo ProjectOfficial patch commit implementing isValidURL check
Red HatRed Hat Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
9.1/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Probability
0.01%
Top 99% most exploited

Affected Systems

Argo CD API ServerArgo CD Web UI

Affected Versions Detail

Product
Affected Versions
Fixed Version
Argo CD
Argo Project
>= 1.2.0-rc1, <= 1.8.7N/A (End of Life)
Argo CD
Argo Project
>= 2.0.0-rc3, < 2.13.82.13.8
Argo CD
Argo Project
>= 2.14.0-rc1, < 2.14.132.14.13
Argo CD
Argo Project
>= 3.0.0-rc1, < 3.0.43.0.4
AttributeDetail
CVE IDCVE-2025-47933
CVSS v3.19.1 (Critical)
Attack VectorNetwork (Stored XSS)
CWECWE-79 (Improper Neutralization of Input)
ImpactRCE / Cluster Compromise
AuthenticationRequired (Low Privilege)
EPSS Score0.00011 (Low probability)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1552Unsecured Credentials
Credential Access
T1078Valid Accounts
Defense Evasion
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Known Exploits & Detection

Internal ResearchPrimary attack vector involves creating a repository with a `javascript:` URI scheme.

Vulnerability Timeline

Patch committed to Argo CD repository
2025-05-28
Public disclosure and GHSA published
2025-05-29
Included in CISA Weekly Summary
2025-06-02

References & Sources

  • [1]GitHub Security Advisory
  • [2]NVD Detail Page

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.