CVE-2025-47933

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

How to fix CVE-2025-47933

To remediate CVE-2025-47933, upgrade the affected package to a fixed version below.

• —upgrade to 2.13.8 or later
• —no fix listed
• —no fix listed
• —upgrade to 2.13.8 or later
• —upgrade to 2.13.8 or later
• —upgrade to 3.0.4 or later
• —upgrade to 3.0.4 or later

Is CVE-2025-47933 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• >= 1.2.0, < 2.13.8, >= 2.14.0, < 2.14.13, >= 3.0.0, < 3.0.4
• >= 1.2.0-rc1, <= 1.8.7
• >= 1.2.0-rc1
• >= 2.0.0-rc3, < 2.13.8, >= 2.14.0-rc1, < 2.14.13
• >= 2.0.0-rc3, < 2.13.8
• from 0, < 3.0.4
• from 0, < 3.0.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47933
• PATCHgithub.com/argoproj/argo-cd
• WEBgithub.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1
• WEBgithub.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p