Exposed Secrets in Argo CD Error Messages and Diff View
CVE-2025-23216

6.8MEDIUM

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 30 January 2025

What is CVE-2025-23216?

A vulnerability in Argo CD allows exposed secret values to be revealed in error messages and the diff view when an invalid Kubernetes Secret resource is synced from a repository. This issue occurs when users with write access commit an invalid Secret, inadvertently or intentionally triggering a Sync. Consequently, any user with read access to Argo CD can view the leaked secret information, which poses a significant risk to the integrity and confidentiality of sensitive data. The vulnerability has been resolved in versions v2.13.4, v2.12.10, and v2.11.13.

Affected Version(s)

argo-cd >= 2.13.0, < 2.13.4 < 2.13.0, 2.13.4

argo-cd >= 2.12.0, < 2.12.10 < 2.12.0, 2.12.10

argo-cd < 2.11.13 < 2.11.13

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddb...

x_refsource_MISC

https://github.com/argoproj/gitops-engine/commit/7e21b91e...

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Jan 13, 2025

Argoproj

What is CVE-2025-23216?

Affected Version(s)

References

CVSS V3.1

Timeline