x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

GoVulnBot · 2025-01-30T17:01:22Z

Advisory CVE-2025-23216 references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13...

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-23216
FIX: argoproj/argo-cd@6f5537b
FIX: argoproj/gitops-engine@7e21b91
WEB: GHSA-47g2-qmh2-749v

Cross references:

github.com/argoproj/argo-cd appears in 38 other report(s):
- data/excluded/GO-2024-2470.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-22424 #2470) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0304.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304)
- data/reports/GO-2022-0357.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357)
- data/reports/GO-2022-0358.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358)
- data/reports/GO-2022-0359.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359)
- data/reports/GO-2022-0387.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387)
- data/reports/GO-2022-0453.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453)
- data/reports/GO-2022-0454.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454)
- data/reports/GO-2022-0455.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455)
- data/reports/GO-2022-0495.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495)
- data/reports/GO-2022-0497.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497)
- data/reports/GO-2022-0498.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498)
- data/reports/GO-2022-0499.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499)
- data/reports/GO-2022-0516.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516)
- data/reports/GO-2022-0517.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517)
- data/reports/GO-2022-0518.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518)
- data/reports/GO-2022-0869.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-qq5v-f4c3-395c #869)
- data/reports/GO-2022-0882.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882)
- data/reports/GO-2022-0892.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892)
- data/reports/GO-2023-1512.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512)
- data/reports/GO-2023-1520.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520)
- data/reports/GO-2023-1577.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577)
- data/reports/GO-2023-1670.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670)
- data/reports/GO-2023-1952.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-xj7v-c82w-92q2 #1952)
- data/reports/GO-2023-2018.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018)
- data/reports/GO-2023-2049.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049)
- data/reports/GO-2023-2050.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050)
- data/reports/GO-2023-2085.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-6jqw-jwf5-rp8h #2085)
- data/reports/GO-2024-2643.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-g623-jcgg-mhmm #2643)
- data/reports/GO-2024-2646.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jwv5-8mqv-g387 #2646)
- data/reports/GO-2024-2728.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31990 #2728)
- data/reports/GO-2024-2792.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-32476 #2792)
- data/reports/GO-2024-2877.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-31989 #2877)
- data/reports/GO-2024-2898.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-36106 #2898)
- data/reports/GO-2024-2902.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-37152 #2902)
- data/reports/GO-2024-3002.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jmvp-698c-4x3w #3002)
- data/reports/GO-2024-3006.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2024-41666 #3006)
- data/reports/GO-2025-3427.yaml (x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-58fx-7v9q-3g56 #3427)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
summary: CVE-2025-23216 in github.com/argoproj/argo-cd
cves:
    - CVE-2025-23216
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-23216
    - fix: https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107
    - fix: https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
source:
    id: CVE-2025-23216
    created: 2025-01-30T17:01:22.197962218Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-02-04T18:49:37Z

Change https://go.dev/cl/646595 mentions this issue: data/reports: add 9 unreviewed reports

GoVulnBot added cve-year-2025 NeedsTriage labels Jan 30, 2025

hugocarreira mentioned this issue Feb 3, 2025

x/vulndb: suggestion regarding GO-2025-3427 #3440

Closed

tatianab added triaged and removed NeedsTriage labels Feb 4, 2025

gopherbot closed this as completed in f230a55 Feb 4, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

GoVulnBot commented Jan 30, 2025

gopherbot commented Feb 4, 2025

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2025-23216 #3433

Comments

GoVulnBot commented Jan 30, 2025

gopherbot commented Feb 4, 2025