CVE-2024-28175 in argocd
Summary
by MITRE • 03/13/2024
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/15/2025
The vulnerability CVE-2024-28175 represents a critical cross-site scripting flaw in Argo CD, a widely adopted GitOps continuous delivery tool for Kubernetes environments. This vulnerability specifically targets the application summary component's handling of `link.argocd.argoproj.io` annotations, where the system fails to properly validate URL protocols before rendering links in the user interface. The flaw exists in all unpatched versions of Argo CD beginning with v1.0.0, making it a long-standing issue that affects a substantial portion of the user base. The vulnerability operates through a protocol filtering mechanism that is insufficiently restrictive, allowing attackers to inject malicious javascript: links that execute with the privileges of the victim user, potentially reaching administrative levels within the Kubernetes cluster.
The technical exploitation of this vulnerability occurs through the manipulation of application annotations that are displayed in the Argo CD user interface. When a malicious user creates or modifies an application resource with a specially crafted `link.argocd.argoproj.io` annotation containing a javascript: protocol, the system renders this link without adequate sanitization. Upon clicking the malicious link, the embedded javascript code executes within the victim's browser context with their existing permissions, which can include full administrative access to the cluster. This elevated privilege execution model transforms what might otherwise be a simple UI manipulation into a severe security compromise capable of enabling complete cluster takeover through API-based operations. The vulnerability maps directly to CWE-79: Improper Neutralization of Input During Web Page Generation, which addresses cross-site scripting issues in web applications.
The operational impact of this vulnerability extends far beyond simple script execution, as it enables attackers to perform arbitrary actions on behalf of compromised users through the Argo CD API. This includes creating new applications, modifying existing resources, deleting critical cluster components, and potentially escalating privileges further within the Kubernetes environment. The implications are particularly severe in multi-tenant environments where different users may have varying permission levels, as a low-privileged attacker could leverage this vulnerability to gain administrative capabilities. The vulnerability also aligns with ATT&CK technique T1566.001: Phishing, as it typically requires user interaction through malicious links, and T1071.004: Application Layer Protocol, as it exploits web application protocols to achieve its malicious objectives.
Organizations affected by this vulnerability must prioritize immediate remediation through official patches released in versions v2.10.3, v2.9.8, and v2.8.12, as these versions contain the necessary fixes for the protocol validation mechanism. While upgrading represents the most straightforward and secure solution, organizations unable to upgrade immediately should implement a Kubernetes admission controller as a compensating control. This admission controller must validate that resources containing `link.argocd.argoproj.io` annotations either reject such annotations entirely or validate that the URL protocols used are safe and appropriate. The validation must be applied consistently across all clusters managed by Argo CD to ensure comprehensive protection. Without proper mitigation, the vulnerability remains exploitable and poses significant risk to Kubernetes cluster security, potentially leading to complete cluster compromise and unauthorized access to sensitive infrastructure components.