Wiz
Vulnerability DatabaseCVE-2022-24904

CVE-2022-24904
Argo CD vulnerability analysis and mitigation

Overview

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, was found to contain a symlink following vulnerability (CVE-2022-24904) affecting versions 0.7.0 through 2.1.14, 2.2.8, and 2.3.3. The vulnerability was discovered in May 2022 and allows malicious users with repository write access to potentially leak sensitive files from Argo CD's repo-server (GitHub Advisory).

Technical details

The vulnerability stems from a symlink following bug where a malicious user with write access to a repository used in a directory-type Application can commit a symlink pointing to an out-of-bounds file. If the target file is a valid JSON or YAML manifest file and the resource is allowed in the Application, the attacker can read the contents of that manifest file. In versions prior to 2.3.2, 2.2.8, and 2.1.14, the attacker could read file contents even if the resource was not allowed in the Application. The vulnerability has been assigned a CVSS v3 base score of 4.3 (Moderate severity) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

Impact

The vulnerability could lead to the exposure of sensitive information, including manifest files from other Applications' source repositories (potentially including decrypted files when using a decryption plugin) or any JSON-formatted secrets mounted as files on the repo-server. If the target file is valid JSON but not a manifest file, the attacker may read the entire contents, while non-JSON/YAML files may have partial content exposure (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. For users of version ≥2.3.0 without Jsonnet/directory-type Applications, it's recommended to disable the Jsonnet/directory config management tool. Additional mitigations include avoiding mounting JSON-formatted secrets as files on the repo-server, limiting push access to manifest repositories, restricting user access to necessary Projects, and limiting resource kinds and destinations allowed for Projects (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Argo CD vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-55190CRITICAL9.9
  • Argo CDArgo CD
  • cpe:2.3:a:linuxfoundation:argo-cd
NoYesSep 04, 2025
CVE-2025-59538HIGH7.5
  • Argo CDArgo CD
  • argocd-2.14
NoYesOct 01, 2025
CVE-2025-59537HIGH7.5
  • Argo CDArgo CD
  • argocd-fips-3.0
NoYesOct 01, 2025
CVE-2025-59531HIGH7.5
  • Argo CDArgo CD
  • github.com/argoproj/argo-cd
NoYesOct 01, 2025
CVE-2025-55191MEDIUM5.3
  • Argo CDArgo CD
  • github.com/argoproj/argo-cd/v3
NoYesSep 30, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo