github.com/argoproj/argo-cd/v2
Go45 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/argoproj/argo-cd/v2page 1 of 1
- CVE-2021-23347MEDIUMCVSS 4.7EG 4.7✓ Fixed in 1.8.62021-03-03
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScri…
- CVE-2022-1025HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.22022-07-12
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
- CVE-2022-24348HIGHCVSS 7.7EG 7.7✓ Fixed in 2.2.42022-02-04
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
- CVE-2022-24730HIGHCVSS 7.7EG 7.7✓ Fixed in 2.3.02022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.3.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal bug, compounded by an improper access control bug,…
- CVE-2022-24731MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2.3.02022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read…
- CVE-2022-24768CRITICALCVSS 9.9EG 9.9✓ Fixed in 2.3.22022-03-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privi…
- CVE-2022-24904MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.42022-05-20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository…
- CVE-2022-24905MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.3.42022-05-20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign …
- CVE-2022-29165CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.3.42022-05-20
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated …
- CVE-2022-31016MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.4.12022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in…
- CVE-2022-31034HIGHCVSS 8.3EG 8.3✓ Fixed in 2.4.12022-06-27
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities a…
- CVE-2022-31035CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.4.12022-06-27
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. W…
- CVE-2022-31036MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.4.12022-06-27
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML …
- CVE-2022-31102LOWCVSS 2.6EG 2.6✓ Fixed in 2.4.52022-07-12
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScri…
- CVE-2022-31105HIGHCVSS 8.3EG 8.3✓ Fixed in 2.4.52022-07-12
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust …
- CVE-2022-41354MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.6.72023-03-27
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
- CVE-2023-22482CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.6.0-rc52023-01-26
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accep…
- CVE-2023-22736HIGHCVSS 8.5EG 8.5✓ Fixed in 2.6.0-rc52023-01-26
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD use…
- CVE-2023-23947CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.6.22023-02-16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who ha…
- CVE-2023-25163MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.6.12023-02-08
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages ar…
- CVE-2023-40025MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.8.12023-08-23
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages e…
- CVE-2023-40026MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.3.02023-09-27
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could referenc…
- CVE-2023-40029CRITICALCVSS 9.9EG 9.9✓ Fixed in 2.8.32023-09-07
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configur…
- CVE-2023-40584MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.8.32023-09-07
Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component…
- CVE-2023-50726MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2.10.32024-03-13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature shoul…
- CVE-2024-21652CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.10.42024-03-18
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage …
- CVE-2024-21661HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.42024-03-18
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the a…
- CVE-2024-21662HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.42024-03-18
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache…
- CVE-2024-22424HIGHCVSS 8.3EG 8.3✓ Fixed in 2.10-rc22024-01-19
vulnerable: 2.10.0-rc1
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability…
- CVE-2024-28175CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.10.32024-03-13
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can ach…
- CVE-2024-29893MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.10.52024-03-29
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's p…
- CVE-2024-31989CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.11.12024-05-21
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed…
- CVE-2024-31990MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.10.72024-04-15
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenra…
- CVE-2024-32476MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.10.82024-05-14
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
- CVE-2024-36106MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.11.32024-06-06
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with proj…
- CVE-2024-37152MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.11.32024-06-06
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidde…
- CVE-2024-40634HIGHCVSS 7.5EG 7.5✓ Fixed in 2.11.62024-07-22
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoi…
- CVE-2024-41666MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.11.72024-07-24
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the adm…
- CVE-2025-23216MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2.13.42025-01-30
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a…
- CVE-2025-47933CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.13.82025-05-29
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL pro…
- CVE-2025-55190CRITICALCVSS 9.9EG 9.9✓ Fixed in 2.13.92025-09-04
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to re…
- CVE-2025-55191MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.14.202025-09-30
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler t…
- CVE-2025-59531HIGHCVSS 7.5EG 7.5✓ Fixed in 2.14.202025-10-01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the A…
- CVE-2025-59537HIGHCVSS 7.5EG 7.5✓ Fixed in 2.14.202025-10-01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the A…
- CVE-2025-59538HIGHCVSS 7.5EG 7.5✓ Fixed in 2.14.202025-10-01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not…
Check whether github.com/argoproj/argo-cd/v2 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/argoproj/argo-cd/v2 CVEs against the assets you own.
Start Free Scan →