Is github.com/argoproj/argo-cd safe to use?

github.com/argoproj/argo-cd has 47 known vulnerabilities on the latest version (v1.8.6). DepScope rates its health at 30/100 (critical risk).

What is the latest version of github.com/argoproj/argo-cd?

The latest version of github.com/argoproj/argo-cd is v1.8.6, released 2021-02-26.

Does github.com/argoproj/argo-cd have known vulnerabilities?

Yes. github.com/argoproj/argo-cd has 47 known vulnerabilities. See depscope.dev/pkg/go/github.com/argoproj/argo-cd for details.

Is github.com/argoproj/argo-cd deprecated?

No, github.com/argoproj/argo-cd is actively maintained. Latest release: v1.8.6 (2021-02-26).

What are alternatives to github.com/argoproj/argo-cd?

DepScope has no curated alternatives for github.com/argoproj/argo-cd at this time.

What license does github.com/argoproj/argo-cd use?

github.com/argoproj/argo-cd is licensed under Apache-2.0.

github.com/argoproj/argo-cd

govv1.8.6

Declarative Continuous Deployment for Kubernetes

License Apache-2.0permissive143 versions1981 maintainers0 deps22,706 weekly dl

argoproj/argo-cd

/ 100

Health

do not use

github.com/argoproj/argo-cd has critical vulnerabilities — do not use

Update to >= 3.2.0-rc2 to fix known vulnerabilities

Low health score (30/100)
10 high severity vulnerabilities
7 critical vulnerabilities

Health breakdown0 – 100

0/25

maintenance

10/20

popularity

0/25

security

15/15

maturity

5/15

community

Vulnerabilities

7 critical10 high10 medium20 low

Advisories (47)

Severity	ID	Summary	Fixed in
critical	CVE-2022-24768	Improper access control allows admin privilege escalation in Argo CD	2.3.2
critical	BIT-argo-cd-2025-47933	Argo CD allows cross-site scripting on repositories page	3.0.4
high	CVE-2022-31034	Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params	2.4.1
medium	CVE-2022-41354	Argo CD authenticated but unauthorized users may enumerate Application names via the API	2.4.28
medium	BIT-argo-cd-2024-36106	Argo-cd authenticated users can enumerate clusters by name	2.11.3
medium	BIT-argo-cd-2025-23216	Argo CD does not scrub secret values from patch errors	2.11.13
high	CVE-2022-24348	Path traversal and dereference of symlinks in Argo CD	2.1.9
medium	CVE-2023-40026	Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server	2.3.0
high	BIT-argo-cd-2024-21661	Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment	2.10.4
medium	GO-2022-0387	Helm OCI credentials leaked into Argo CD logs	1.8.7
high	CVE-2022-31105	Argo CD certificate verification is skipped for connections to OIDC providers	2.4.5
high	CVE-2024-22424	github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability	2.10-rc2
high	CVE-2022-1025	Argo CD improper access control bug can allow malicious user to escalate privileges to admin level	2.3.2
critical	BIT-argo-cd-2024-31989	ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache	2.11.1
high	BIT-argo-cd-2025-59531	Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload	3.0.19
medium	BIT-argo-cd-2023-50726	Users with `create` but not `override` privileges can perform local sync	2.8.12
critical	CVE-2022-31035	Argo CD's external URLs for Deployments can include JavaScript	2.4.1
medium	CVE-2022-24731	Path traversal allows leaking out-of-bound files from Argo CD repo-server	2.3.0
medium	CVE-2022-31016	DoS through large manifest files in Argo CD	2.4.1
high	BIT-argo-cd-2024-40634	Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint	2.11.6

... and 27 more

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/argoproj/argo-cd

Last updated · 2021-02-26T21:12:06Z