Go modules package

github.com/argoproj/argo-cd/v2

pkg:golang/github.com/argoproj/argo-cd/v2

Vulnerabilities (36)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-59538	—	>= 2.9.0-rc1, < 2.14.20	2.14.20	Oct 1, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a
CVE-2025-59537	—	>= 2.0.0-rc1, < 2.14.20	2.14.20	Oct 1, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
CVE-2025-59531	—	>= 2.0.0-rc1, < 2.14.20	2.14.20	Oct 1, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
CVE-2025-55191	—	>= 2.1.0, < 2.14.20	2.14.20	Sep 30, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic
CVE-2025-55190	—	>= 2.13.0, < 2.13.9	2.13.9	Sep 4, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (
CVE-2025-47933	—	>= 2.0.0-rc3, < 2.13.8	2.13.8	May 29, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
CVE-2025-23216	—	>= 2.13.0, < 2.13.4	2.13.4	Jan 30, 2025	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th
CVE-2024-41666	—	>= 2.6.0, < 2.9.21	2.9.21	Jul 24, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran
CVE-2024-40634	—	< 2.9.20	2.9.20	Jul 22, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t
CVE-2024-31989	—	< 2.8.19	2.8.19	May 21, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin
CVE-2024-32476	—	>= 2.10.0, < 2.10.8	2.10.8	Apr 26, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
CVE-2024-31990	—	>= 2.4.0, < 2.8.16	2.8.16	Apr 15, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.
CVE-2024-29893	—	>= 2.4.0, < 2.8.14	2.8.14	Mar 29, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen
CVE-2024-21662	—	< 2.8.13	2.8.13	Mar 18, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi
CVE-2024-21661	—	< 2.8.13	2.8.13	Mar 18, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all u
CVE-2024-21652	—	< 2.8.13	2.8.13	Mar 18, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli
CVE-2023-50726	—	>= 2.9.0, < 2.9.8	2.9.8	Mar 13, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted
CVE-2024-28175	—	>= 2.9.0, < 2.9.8	2.9.8	Mar 13, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p
CVE-2024-22424	—	< 2.7.16	2.7.16	Jan 19, 2024	Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same pare
CVE-2023-40026	—	< 2.3.0	2.3.0	Sep 27, 2023	Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the sam

CVE-2025-59538Oct 1, 2025
affected >= 2.9.0-rc1, < 2.14.20fixed 2.14.20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /a
CVE-2025-59537Oct 1, 2025
affected >= 2.0.0-rc1, < 2.14.20fixed 2.14.20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
CVE-2025-59531Oct 1, 2025
affected >= 2.0.0-rc1, < 2.14.20fixed 2.14.20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to
CVE-2025-55191Sep 30, 2025
affected >= 2.1.0, < 2.14.20fixed 2.14.20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic
CVE-2025-55190Sep 4, 2025
affected >= 2.13.0, < 2.13.9fixed 2.13.9
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (
CVE-2025-47933May 29, 2025
affected >= 2.0.0-rc3, < 2.13.8fixed 2.13.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacke
CVE-2025-23216Jan 30, 2025
affected >= 2.13.0, < 2.13.4fixed 2.13.4
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes th
CVE-2024-41666Jul 24, 2024
affected >= 2.6.0, < 2.9.21fixed 2.9.21
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and gran
CVE-2024-40634Jul 22, 2024
affected < 2.9.20fixed 2.9.20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation t
CVE-2024-31989May 21, 2024
affected < 2.8.19fixed 2.8.19
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin
CVE-2024-32476Apr 26, 2024
affected >= 2.10.0, < 2.10.8fixed 2.10.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
CVE-2024-31990Apr 15, 2024
affected >= 2.4.0, < 2.8.16fixed 2.8.16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.
CVE-2024-29893Mar 29, 2024
affected >= 2.4.0, < 2.8.14fixed 2.8.14
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server componen
CVE-2024-21662Mar 18, 2024
affected < 2.8.13fixed 2.8.13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in securi
CVE-2024-21661Mar 18, 2024
affected < 2.8.13fixed 2.8.13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all u
CVE-2024-21652Mar 18, 2024
affected < 2.8.13fixed 2.8.13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the appli
CVE-2023-50726Mar 13, 2024
affected >= 2.9.0, < 2.9.8fixed 2.9.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted
CVE-2024-28175Mar 13, 2024
affected >= 2.9.0, < 2.9.8fixed 2.9.8
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated p
CVE-2024-22424Jan 19, 2024
affected < 2.7.16fixed 2.7.16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same pare
CVE-2023-40026Sep 27, 2023
affected < 2.3.0fixed 2.3.0
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the sam

Page 1 of 2