Go modules package
github.com/argoproj/argo-cd
pkg:golang/github.com/argoproj/argo-cd
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59537 | — | >= 1.2.0, <= 1.8.7 | — | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-59531 | — | >= 1.2.0, <= 1.8.7 | — | Oct 1, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to | ||
| CVE-2025-47933 | — | >= 1.2.0-rc1, <= 1.8.7 | — | May 29, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke | ||
| CVE-2025-23216 | — | <= 1.8.7 | — | Jan 30, 2025 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th | ||
| CVE-2024-40634 | — | >= 1.0.0, <= 1.8.7 | — | Jul 22, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t | ||
| CVE-2024-36106 | — | >= 0.11.0, < 2.9.17 | 2.9.17 | Jun 6, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of | ||
| CVE-2024-31989 | — | <= 1.8.7 | — | May 21, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin | ||
| CVE-2024-21661 | — | <= 1.8.7 | — | Mar 18, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all u | ||
| CVE-2023-50726 | — | >= 1.2.0-rc1, <= 1.8.7 | — | Mar 13, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted | ||
| CVE-2024-28175 | — | >= 1.0.0, <= 1.8.7 | — | Mar 13, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p | ||
| CVE-2024-22424 | — | >= 0.1.0, <= 1.8.7 | — | Jan 19, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same pare | ||
| CVE-2023-40026 | — | <= 1.8.7 | — | Sep 27, 2023 | Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the sam | ||
| CVE-2022-41354 | — | >= 0.5.0, <= 1.8.7 | — | Mar 27, 2023 | An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications. | ||
| CVE-2023-23947 | — | >= 2.3.0, < 2.3.17 | 2.3.17 | Feb 16, 2023 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one clu | ||
| CVE-2023-22482 | — | >= 1.8.2, < 2.3.14 | 2.3.14 | Jan 25, 2023 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers | ||
| CVE-2022-31102 | — | >= 2.3.0, < 2.3.6 | 2.3.6 | Jul 12, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a vict | ||
| CVE-2022-31105 | — | >= 0.4.0, < 2.2.11 | 2.2.11 | Jul 12, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy) | ||
| CVE-2022-1025 | — | >= 0.5.0, <= 1.8.7 | — | Jul 12, 2022 | All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. | ||
| CVE-2022-31036 | — | >= 1.3.0, < 2.1.16 | 2.1.16 | Jun 27, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malic | ||
| CVE-2022-31035 | — | >= 1.0.0, < 2.1.16 | 2.1.16 | Jun 27, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script |
- CVE-2025-59537Oct 1, 2025affected >= 1.2.0, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-59531Oct 1, 2025affected >= 1.2.0, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
- CVE-2025-47933May 29, 2025affected >= 1.2.0-rc1, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
- CVE-2025-23216Jan 30, 2025affected <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th
- CVE-2024-40634Jul 22, 2024affected >= 1.0.0, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t
- CVE-2024-36106Jun 6, 2024affected >= 0.11.0, < 2.9.17fixed 2.9.17
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of
- CVE-2024-31989May 21, 2024affected <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin
- CVE-2024-21661Mar 18, 2024affected <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all u
- CVE-2023-50726Mar 13, 2024affected >= 1.2.0-rc1, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted
- CVE-2024-28175Mar 13, 2024affected >= 1.0.0, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p
- CVE-2024-22424Jan 19, 2024affected >= 0.1.0, <= 1.8.7
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same pare
- CVE-2023-40026Sep 27, 2023affected <= 1.8.7
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the sam
- CVE-2022-41354Mar 27, 2023affected >= 0.5.0, <= 1.8.7
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
- CVE-2023-23947Feb 16, 2023affected >= 2.3.0, < 2.3.17fixed 2.3.17
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one clu
- CVE-2023-22482Jan 25, 2023affected >= 1.8.2, < 2.3.14fixed 2.3.14
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers
- CVE-2022-31102Jul 12, 2022affected >= 2.3.0, < 2.3.6fixed 2.3.6
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a vict
- CVE-2022-31105Jul 12, 2022affected >= 0.4.0, < 2.2.11fixed 2.2.11
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious (or otherwise untrustworthy)
- CVE-2022-1025Jul 12, 2022affected >= 0.5.0, <= 1.8.7
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
- CVE-2022-31036Jun 27, 2022affected >= 1.3.0, < 2.1.16fixed 2.1.16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malic
- CVE-2022-31035Jun 27, 2022affected >= 1.0.0, < 2.1.16fixed 2.1.16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script
Page 1 of 2