Argo security audit 2022

18th July, 2022
Adam Korczynski,
Security Engineering & Security Automation
David Korczynski,
Security Research & Security Engineering

Ada Logics is happy to release the report for our security audit of Argo. The audit was facilitated by OSTIF and sponsored by CNCF and carried out by Ada Logics’ team of researchers. We found several high-severity CVEs which the Argo teams have worked hard to fix since mid May. With the release of the report, all CVEs have been fixed.

Argo is a set of open source tools for Kubernetes to run workflows, manage clusters, and carry out GitOps tasks, and It is adopted by companies like Adobe, Alibaba Group, BMW Group, Capital One, Deloitte, Google, Handelsbanken, IBM, Redhat, Skyscanner, Tesla and many others. CNCF’s annual survey of 2021 found that production use of Argo increases 115% year-on-year which makes the project a critical piece of global infrastructure to secure. Argo was accepted by the CNCF in april 2020.


Ada Logics found 26 issues across ArgoCD, Argo Workflows and Argo Events. The issues are of various types and levels of exploitability. In this section we cover the findings from a high level.

CVE Github Advisory Severity (CSS)
CVE-2022-31035 GHSA-h4w9-6x78-8vrj Critical (9.0)
CVE-2022-31102 GHSA-pmjg-52h9-72qv Low (2.6)
CVE-2022-31054 GHSA-5q86-62xr-3r57 High (7.5)
CVE-2022-25856 GHSA-qpgx-64h2-gc3c High (7.5)
CVE-2022-31036 GHSA-q4w5-4gq2-98vm Moderate (4.3)
CVE-2022-24904 GHSA-6gcg-hp2x-q54h Moderate (4.3)
CVE-2022-31016 GHSA-jhqp-vf4w-rpwq Moderate (6.5)
CVE-2022-31034 GHSA-2m7h-86qq-fp4v High (8.3)
CVE-2022-31105 GHSA-7943-82jg-wmw5 High (8.3)


We found a number of cases of XSS in the Argo UI that affected both ArgoCD and Argo Workflows. In Argo Workflows, we found 6 XSS’s, but these would not be affected by untrusted input. In ArgoCD, Two XSS’s were assigned CVE’s with Low and Critical CVSS scores. The Critical CVE would allow a malicious user to inject Javascript into a link in the UI and potentially have an admin user execute the malicious payload. This could lead to vertical privilege escalation to admin level.

The Low severity CVE was a case of stored XSS which is the most dangerous type. Upon triaging the issue, we found that the server encryption key was required to launch the attack which means the attacker could therefore escalate privileges horizontally and not vertically - hence the severity score of Low.

Path traversal vulnerabilities

ArgoCD and Argo Events were both found to be vulnerable to path traversal attacks. In Argo Events, the vulnerability could be exploited through several vectors, for example attacker-controlled git files, a race condition or an attacker-controlled manifest for a Git Trigger Source. Either of these could allow an attacker to read the contents of any file on the server. The vulnerability was scored High (7.5).

Ada Logics team of researchers found 2 cases of path traversal vulnerabilities in ArgoCD. These would allow attackers to read JSON files, manifest files or YAML files on the server. The restriction of file types limits the scope of a given attack, but an attacker could exploit the vulnerabilities to read sensitive files that could result in vertical privilege escalation. Both of these CVEs were scored Moderate.

Denial-of-Service vulnerabilities

Ada Logics’ researchers found several denial-of-service vulnerabilities in both ArgoCD and Argo Events. In ArgoCD, an attacker could make the Argo reposerver read a malicious manifest that would exhaust memory of the machine resulting in denial of service. The vulnerability was scored Moderate (6.5).

Argo Events had a vulnerability of High (7.5) severity that could allow an attacker to send a well-crafted payload and exhaust memory causing denial of service. The following Eventsources were affected:

Insecure entropy

ArgoCD was using an insecure number generator when a user initiates an SSO login in the ArgoCD CLI which made ArgoCD susceptible to a number of attacks; For example, an attacker could make different attempts to guess the generated parameters and escalate privileges horizontally all the way to full admin. The CVE was scored High (8.3). All versions of Argo CD were vulnerable starting with v0.11.0.

Other findings

The audit resulted in a number of other findings which are included in the final report.


During the audit, Ada Logics wrote 7 fuzzers and added them to Argos OSS-Fuzz integration. The fuzzers ran during the security audit and continue to run to search for bugs. They found a number of issues during the audit that would have a critical impact on Argo if exploitable. None of the issues could be triggered from untrusted input, and they are tracked via Github issues.

Ada Logics is no stranger to fuzzing the Argo projects; Earlier in 2022, we carried out a fuzzing audit of Argo where 41 fuzzers were written covering ArgoCD, Argo Events, Argo Rollouts, Argo Workflows and GitOps Engine. The fuzzing audit resulted in 10 bugs being found, triaged and fixed, and the fuzzers run continuously via the OSS-Fuzz service. Read more about Argos fuzzing audit here:

Securing the Cloud - and the Edge

The Argo security audit follows a series of previous audits of CNCF projects carried out by Ada Logics. Links to previous audits:

Ada Logics is a major contributor to securing the cloud native landscape through fuzzing. Our team of researchers have written hundreds of fuzzers that run on the OSS-Fuzz service and cover critical projects such as Kubernetes, etcd, Helm, Argo, Cilium, Flux, Containerd, Runc and more. Read more about that work here: