Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN339

_____________________________________________________________________

DATE                : 05/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running python Argo CD, Argo CD v2,
                                      Argo CD v3.

=====================================================================
https://github.com/advisories/GHSA-2hj5-g64g-fp6p
_____________________________________________________________________

Argo CD allows cross-site scripting on repositories page
Critical severity GitHub Reviewed Published May 28, 2025 in
argoproj/argo-cd • Updated May 29, 2025
Vulnerability details

Package
github.com/argoproj/argo-cd (Go)
Affected versions
>= 1.2.0-rc1, <= 1.8.7
Patched versions
None

github.com/argoproj/argo-cd/v2 (Go)
Affected versions
>= 2.0.0-rc3, < 2.13.8
>= 2.14.0-rc1, < 2.14.13
Patched versions
2.13.8
2.14.13

github.com/argoproj/argo-cd/v3 (Go)
Affected versions
< 3.0.4
Patched versions
3.0.4


Description

Impact

This vulnerability allows an attacker to perform arbitrary actions
on behalf of the victim via the API, such as creating, modifying,
and deleting Kubernetes resources. Due to the improper filtering
of URL protocols in the repository page, an attacker can achieve
cross-site scripting with permission to edit the repository.

In ui/src/app/shared/components/urls.ts, the following code
exists to parse the repository URL.

https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/urls.ts#L14-L26

Since this code doesn't validate the protocol of repository
URLs, it's possible to inject javascript: URLs here.

https://github.com/argoproj/argo-cd/blob/0ae5882d5ae9fe88efc51f65ca8543fb8c3a0aa1/ui/src/app/shared/components/repo.tsx#L5-L7

As the return value of this function is used in the href attribute
of the a tag, it's possible to achieve cross-site scripting by
using javascript: URLs.

Browsers may return the proper hostname for javascript: URLs,
allowing exploitation of this vulnerability.


Patches

A patch for this vulnerability has been released in the
following Argo CD versions:

    v3.0.4
    v2.14.13
    v2.13.8

The patch incorporates a way to validate the URL being passed
in. Returning null if the validation fails.


Workarounds

There are no workarounds other than depending on the browser
to filter the URL.
Credits

Disclosed by @Ry0taK RyotaK.


For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
References

    GHSA-2hj5-g64g-fp6p
    argoproj/argo-cd@a5b4041
    https://nvd.nist.gov/vuln/detail/CVE-2025-47933


Severity
Critical
9.1/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS score
(12th percentile)
Weaknesses
CWE-79
CVE ID
CVE-2025-47933
GHSA ID
GHSA-2hj5-g64g-fp6p
Source code
argoproj/argo-cd
Credits

    @Ry0taK Ry0taK Reporter
    @crenshaw-dev crenshaw-dev Coordinator



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================