CVE-2025-47933

CRITICAL

Argo CD < 2.13.8, 2.14.13, 3.0.4 - Cross-Site Scripting via Repository Page URL Protocol

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-47933. PoCs published by manus-use.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2025-47933 targeting Argo CD, along with other PoCs for various CVEs. The Argo CD exploit includes a server.py and x.py, demonstrating a working proof-of-concept for remote code execution.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.13.8, 2.14.13, and 3.0.4, an attacker can perform arbitrary actions on behalf of the victim via the API. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. This issue has been patched in versions 2.13.8, 2.14.13, and 3.0.4.

Exploits (1)

github WORKING POC

by manus-use · postscriptpoc

https://github.com/manus-use/cve-pocs/tree/main/argo-cd-CVE-2025-47933

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2025-47933 targeting Argo CD, along with other PoCs for various CVEs. The Argo CD exploit includes a server.py and x.py, demonstrating a working proof-of-concept for remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Argo CD

No auth needed

Prerequisites: network access to the target · vulnerable version of Argo CD

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/argoproj/argo-cd/security/advisories/GHSA-2hj5-g64g-fp6p

Patch x_refsource_misc

https://github.com/argoproj/argo-cd/commit/a5b4041a79c54bc7b3d090805d070bcdb9a9e4d1

View Patch ZIP pw:eip

Scores

CVSS v3 9.0

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (5)

argoproj/argo-cd 0 - 3.0.4Go

argoproj/argo-cd 1.2.0-rc1Go

argoproj/argo-cd 2.0.0-rc3 - 2.13.8Go

argoproj/argo_cd 1.2.0 rc1 (2 CPE variants)

argoproj/argo_cd 1.2.1 - 2.13.8

Published May 29, 2025

Tracked Since Feb 18, 2026