{"package":"github.com/argoproj/argo-cd","ecosystem":"go","latest_version":"v1.8.6","description":"Declarative Continuous Deployment for Kubernetes","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/github.com/argoproj/argo-cd","repository":"https://github.com/argoproj/argo-cd","downloads_weekly":22706,"health":{"score":30,"risk":"critical","breakdown":{"maintenance":0,"popularity":10,"security":0,"maturity":15,"community":5},"deprecated":false,"max_score":100},"vulnerabilities":{"count":47,"critical":7,"high":10,"medium":10,"low":20,"details":[{"vuln_id":"CVE-2022-24768","severity":"critical","summary":"Improper access control allows admin privilege escalation in Argo CD","affected_versions":">=0.5.0,<2.1.14|>=2.2.0,<2.2.8|>=2.3.0,<2.3.2","fixed_version":"2.3.2","source":"osv","published_at":"2022-03-24T00:18:54Z","in_kev":false,"epss_prob":0.00396,"epss_percentile":0.60433,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2025-47933","severity":"critical","summary":"Argo CD allows cross-site scripting on repositories page","affected_versions":">=1.2.0-rc1,<=1.8.7|>=2.0.0-rc3,<2.13.8|>=2.14.0-rc1,<2.14.13|<3.0.4","fixed_version":"3.0.4","source":"osv","published_at":"2025-05-28T17:36:32Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-31034","severity":"high","summary":"Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params","affected_versions":">=0.11.0,<2.1.16|<2.1.16|>=2.2.0,<2.2.10|>=2.3.0,<2.3.5|>=2.4.0,<2.4.1|=2.4.0","fixed_version":"2.4.1","source":"osv","published_at":"2022-06-21T20:03:23Z","in_kev":false,"epss_prob":0.00418,"epss_percentile":0.6188,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-41354","severity":"medium","summary":"Argo CD authenticated but unauthorized users may enumerate Application names via the API","affected_versions":">=0.5.0,<=1.8.7|>=2.5.0,<2.5.16|>=2.6.0,<2.6.7|<2.4.28","fixed_version":"2.4.28","source":"osv","published_at":"2023-03-23T19:49:11Z","in_kev":false,"epss_prob":0.01127,"epss_percentile":0.78364,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2024-36106","severity":"medium","summary":"Argo-cd authenticated users can enumerate clusters by name","affected_versions":">=0.11.0,<2.9.17|>=2.10.0,<2.10.12|>=2.11.0,<2.11.3","fixed_version":"2.11.3","source":"osv","published_at":"2024-06-06T19:04:54Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2025-23216","severity":"medium","summary":"Argo CD does not scrub secret values from patch errors","affected_versions":">=2.13.0,<2.13.4|>=2.12.0,<2.12.10|<2.11.13|<=1.8.7","fixed_version":"2.11.13","source":"osv","published_at":"2025-01-30T17:52:45Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-24348","severity":"high","summary":"Path traversal and dereference of symlinks in Argo CD","affected_versions":"<2.1.9|>=2.2.0,<2.2.4|<2.1.9","fixed_version":"2.1.9","source":"osv","published_at":"2022-02-07T19:06:18Z","in_kev":false,"epss_prob":0.03399,"epss_percentile":0.87447,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-40026","severity":"medium","summary":"Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server","affected_versions":"<=1.8.7|<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2023-09-27T20:14:44Z","in_kev":false,"epss_prob":0.00214,"epss_percentile":0.43798,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2024-21661","severity":"high","summary":"Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment","affected_versions":"<=1.8.7|<2.8.13|>=2.9.0,<2.9.9|>=2.10.0,<2.10.4","fixed_version":"2.10.4","source":"osv","published_at":"2024-03-18T20:28:42Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"GO-2022-0387","severity":"medium","summary":"Helm OCI credentials leaked into Argo CD logs","affected_versions":"<1.7.14|>=1.8.0,<1.8.7","fixed_version":"1.8.7","source":"osv","published_at":"2021-05-21T14:31:28Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-31105","severity":"high","summary":"Argo CD certificate verification is skipped for connections to OIDC providers","affected_versions":">=0.4.0,<2.2.11|>=2.3.0,<2.3.6|>=2.4.0,<2.4.5","fixed_version":"2.4.5","source":"osv","published_at":"2022-07-12T22:05:11Z","in_kev":false,"epss_prob":0.00254,"epss_percentile":0.48648,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-22424","severity":"high","summary":"github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability","affected_versions":">=0.1.0,<=1.8.7|<2.7.16|>=2.8.0-rc1,<2.8.8|>=2.9.0-rc1,<2.9.4|>=2.10.0-rc1,<2.10-rc2|=2.10.0-rc1","fixed_version":"2.10-rc2","source":"osv","published_at":"2024-01-19T20:37:53Z","in_kev":false,"epss_prob":0.00064,"epss_percentile":0.19864,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-1025","severity":"high","summary":"Argo CD improper access control bug can allow malicious user to escalate privileges to admin level","affected_versions":">=0.5.0,<=1.8.7|<2.1.14|>=2.2.0,<2.2.8|>=2.3.0,<2.3.2","fixed_version":"2.3.2","source":"osv","published_at":"2022-07-13T00:00:41Z","in_kev":false,"epss_prob":0.00284,"epss_percentile":0.51721,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2024-31989","severity":"critical","summary":"ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache","affected_versions":"<2.8.19|>=2.9.0-rc1,<2.9.15|>=2.10.0-rc1,<2.10.10|>=2.11.0-rc1,<2.11.1|<=1.8.7","fixed_version":"2.11.1","source":"osv","published_at":"2024-05-21T18:07:09Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2025-59531","severity":"high","summary":"Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload","affected_versions":">=1.2.0,<=1.8.7|>=2.0.0-rc1,<2.14.20|>=3.2.0-rc1,<3.2.0-rc2|>=3.1.0-rc1,<3.1.8|>=3.0.0-rc1,<3.0.19|=3.2.0-rc1","fixed_version":"3.0.19","source":"osv","published_at":"2025-09-30T18:11:59Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2023-50726","severity":"medium","summary":"Users with `create` but not `override` privileges can perform local sync","affected_versions":">=1.2.0-rc1,<=1.8.7|>=2.9.0,<2.9.8|>=2.10.0,<2.10.3|>=2.0.0-rc3,<2.8.12","fixed_version":"2.8.12","source":"osv","published_at":"2024-03-15T16:33:19Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-31035","severity":"critical","summary":"Argo CD's external URLs for Deployments can include JavaScript","affected_versions":">=1.0.0,<2.1.16|<2.1.16|>=2.2.0,<2.2.10|>=2.3.0,<2.3.5|>=2.4.0,<2.4.1|=2.4.0","fixed_version":"2.4.1","source":"osv","published_at":"2022-06-21T20:04:34Z","in_kev":false,"epss_prob":0.00774,"epss_percentile":0.73663,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-24731","severity":"medium","summary":"Path traversal allows leaking out-of-bound files from Argo CD repo-server","affected_versions":">=1.5.0,<2.1.11|>=2.2.0,<2.2.6|>=2.3.0-rc1,<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2022-03-24T00:12:46Z","in_kev":false,"epss_prob":0.0029,"epss_percentile":0.52378,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-31016","severity":"medium","summary":"DoS through large manifest files in Argo CD","affected_versions":">=0.7.0,<2.1.16|<2.1.16|>=2.2.0,<2.2.10|>=2.3.0,<2.3.5|>=2.4.0,<2.4.1|=2.4.0","fixed_version":"2.4.1","source":"osv","published_at":"2022-06-21T22:51:05Z","in_kev":false,"epss_prob":0.00371,"epss_percentile":0.58913,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2024-40634","severity":"high","summary":"Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint","affected_versions":">=1.0.0,<=1.8.7|<2.9.20|>=2.10.0,<2.10.15|>=2.11.0,<2.11.6","fixed_version":"2.11.6","source":"osv","published_at":"2024-07-22T17:20:02Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2024-28175","severity":"critical","summary":"Cross-site scripting on application summary component","affected_versions":">=1.0.0,<=1.8.7|>=2.9.0,<2.9.8|>=2.10.0,<2.10.3|>=2.0.0,<2.8.12","fixed_version":"2.8.12","source":"osv","published_at":"2024-03-15T19:46:21Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-31036","severity":"medium","summary":"Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server","affected_versions":">=1.3.0,<2.1.16|<2.1.16|>=2.2.0,<2.2.10|>=2.3.0,<2.3.5|>=2.4.0,<2.4.1|=2.4.0","fixed_version":"2.4.1","source":"osv","published_at":"2022-06-21T20:04:51Z","in_kev":false,"epss_prob":0.00261,"epss_percentile":0.49469,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-22482","severity":"critical","summary":"JWT audience claim is not verified","affected_versions":">=1.8.2,<2.3.14|>=2.4.0,<2.4.20|>=2.5.0,<2.5.8|>=2.6.0-rc1,<2.6.0-rc5","fixed_version":"2.6.0-rc5","source":"osv","published_at":"2023-01-25T22:02:52Z","in_kev":false,"epss_prob":0.00244,"epss_percentile":0.47618,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-29165","severity":"critical","summary":"Argo CD will blindly trust JWT claims if anonymous access is enabled","affected_versions":">=2.3.0,<2.3.4|>=2.2.0,<2.2.9|<2.1.15|<2.1.15","fixed_version":"2.1.15","source":"osv","published_at":"2022-05-24T20:47:34Z","in_kev":false,"epss_prob":0.01577,"epss_percentile":0.81627,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-24730","severity":"high","summary":"Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server","affected_versions":">=1.3.0,<2.1.11|>=2.2.0,<2.2.6|>=2.3.0-rc1,<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2022-03-24T00:04:03Z","in_kev":false,"epss_prob":0.0028,"epss_percentile":0.51286,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2025-59537","severity":"high","summary":"argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload","affected_versions":">=1.2.0,<=1.8.7|>=2.0.0-rc1,<2.14.20|>=3.2.0-rc1,<3.2.0-rc2|>=3.1.0-rc1,<3.1.8|>=3.0.0-rc1,<3.0.19|=3.2.0-rc1","fixed_version":"3.0.19","source":"osv","published_at":"2025-09-30T18:28:38Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-24905","severity":"medium","summary":"Login screen allows message spoofing if SSO is enabled","affected_versions":">=2.3.0,<2.3.4|>=2.2.0,<2.2.9|>=2.0.0,<2.1.15|<2.1.15","fixed_version":"2.1.15","source":"osv","published_at":"2022-05-24T12:26:59Z","in_kev":false,"epss_prob":0.00247,"epss_percentile":0.4793,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-24730","severity":"unknown","summary":"Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd","affected_versions":">=1.3.0|>=2.3.0-rc1,<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2024-08-21T14:30:29Z","in_kev":false,"epss_prob":0.0028,"epss_percentile":0.51286,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-24731","severity":"unknown","summary":"Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd","affected_versions":">=1.5.0|>=2.3.0-rc1,<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2024-08-21T14:30:29Z","in_kev":false,"epss_prob":0.0029,"epss_percentile":0.52378,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-24768","severity":"unknown","summary":"Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd","affected_versions":">=0.5.0|>=2.3.0,<2.3.2","fixed_version":"2.3.2","source":"osv","published_at":"2024-08-21T14:30:29Z","in_kev":false,"epss_prob":0.00396,"epss_percentile":0.60433,"threat_tier":"theoretical"},{"vuln_id":"GHSA-6w87-g839-9wv7","severity":"unknown","summary":"Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd","affected_versions":">=1.8.0,<1.8.7","fixed_version":"1.8.7","source":"osv","published_at":"2024-08-21T14:30:31Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2022-31016","severity":"unknown","summary":"DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd","affected_versions":">=0.7.0|>=2.4.0,<2.4.1","fixed_version":"2.4.1","source":"osv","published_at":"2024-08-21T15:11:33Z","in_kev":false,"epss_prob":0.00371,"epss_percentile":0.58913,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-31034","severity":"unknown","summary":"Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd","affected_versions":">=0.11.0|>=2.4.0,<2.4.1","fixed_version":"2.4.1","source":"osv","published_at":"2024-08-21T15:11:33Z","in_kev":false,"epss_prob":0.00418,"epss_percentile":0.6188,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-31035","severity":"unknown","summary":"Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd","affected_versions":">=1.0.0|>=2.4.0,<2.4.1","fixed_version":"2.4.1","source":"osv","published_at":"2024-08-21T15:11:33Z","in_kev":false,"epss_prob":0.00774,"epss_percentile":0.73663,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-31036","severity":"unknown","summary":"Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd","affected_versions":">=1.3.0|>=2.4.0,<2.4.1","fixed_version":"2.4.1","source":"osv","published_at":"2024-08-21T15:11:33Z","in_kev":false,"epss_prob":0.00261,"epss_percentile":0.49469,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-1025","severity":"unknown","summary":"Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd","affected_versions":">=0.5.0|>=2.3.0,<2.3.2","fixed_version":"2.3.2","source":"osv","published_at":"2024-08-21T15:11:36Z","in_kev":false,"epss_prob":0.00284,"epss_percentile":0.51721,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-31105","severity":"unknown","summary":"Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd","affected_versions":">=0.4.0|>=2.4.0,<2.4.5","fixed_version":"2.4.5","source":"osv","published_at":"2024-08-21T15:11:36Z","in_kev":false,"epss_prob":0.00254,"epss_percentile":0.48648,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-22482","severity":"unknown","summary":"JWT audience claim is not verified in github.com/argoproj/argo-cd","affected_versions":">=1.8.2|>=2.6.0-rc1,<2.6.0-rc5","fixed_version":"2.6.0-rc5","source":"osv","published_at":"2024-08-20T20:26:01Z","in_kev":false,"epss_prob":0.00244,"epss_percentile":0.47618,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-41354","severity":"unknown","summary":"Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd","affected_versions":">=0.5.0|>=2.6.0,<2.6.7","fixed_version":"2.6.7","source":"osv","published_at":"2024-08-20T20:29:17Z","in_kev":false,"epss_prob":0.01127,"epss_percentile":0.78364,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-40026","severity":"unknown","summary":"Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd","affected_versions":"<2.3.0","fixed_version":"2.3.0","source":"osv","published_at":"2024-08-21T14:30:18Z","in_kev":false,"epss_prob":0.00214,"epss_percentile":0.43798,"threat_tier":"theoretical"},{"vuln_id":"BIT-argo-cd-2023-50726","severity":"unknown","summary":"Bypass manifest during application creation in github.com/argoproj/argo-cd/v2","affected_versions":">=1.2.0-rc1|>=2.10.0,<2.10.3","fixed_version":"2.10.3","source":"osv","published_at":"2024-03-22T18:12:03Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2024-28175","severity":"unknown","summary":"Cross-site scripting on application summary component in github.com/argoproj/argo-cd/v2","affected_versions":">=1.0.0|>=2.10.0,<2.10.3","fixed_version":"2.10.3","source":"osv","published_at":"2024-03-22T18:45:33Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2024-36106","severity":"unknown","summary":"Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd","affected_versions":">=0.11.0|>=2.11.0,<2.11.3","fixed_version":"2.11.3","source":"osv","published_at":"2024-06-28T15:28:30Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2024-40634","severity":"unknown","summary":"Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd","affected_versions":">=1.0.0|>=2.11.0,<2.11.6","fixed_version":"2.11.6","source":"osv","published_at":"2024-08-06T22:03:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2025-47933","severity":"unknown","summary":"Argo CD allows cross-site scripting on repositories page in github.com/argoproj/argo-cd","affected_versions":">=1.2.0-rc1|>=2.14.0-rc1,<2.14.13|<3.0.4","fixed_version":"3.0.4","source":"osv","published_at":"2025-05-29T20:59:03Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2025-59531","severity":"unknown","summary":"Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload in github.com/argoproj/argo-cd","affected_versions":">=1.2.0|<2.14.20|>=3.2.0-rc1,<3.2.0-rc2","fixed_version":"3.2.0-rc2","source":"osv","published_at":"2025-10-23T16:25:09Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-argo-cd-2025-59537","severity":"unknown","summary":"argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd","affected_versions":">=1.2.0|<2.14.20|>=3.2.0-rc1,<3.2.0-rc2","fixed_version":"3.2.0-rc2","source":"osv","published_at":"2025-10-23T16:25:09Z","in_kev":false,"threat_tier":"unknown"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v1.8.6","total_count":143,"recent":["v1.7.10","v1.1.0-rc6","v0.11.0-rc2","v1.6.0-rc1","v1.8.1","v1.0.0-rc3","v1.6.2","v1.7.4","v1.0.1","v1.1.0","v1.0.0-rc2","v1.8.4","v1.5.0-rc3","v0.2.0","v1.8.0-rc2","v0.11.0-rc5","v0.4.2","v0.3.2","v0.12.1","v1.7.6"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1981,"first_published":null,"last_published":"2021-02-26T21:12:06Z","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Low health score (30/100)","10 high severity vulnerabilities","7 critical vulnerabilities"],"use_version":"v1.8.6","version_hint":"Update to >= 3.2.0-rc2 to fix known vulnerabilities","summary":"github.com/argoproj/argo-cd has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":1887,"avg_days_between_releases":null,"release_velocity":"stale"}}