Sensitive Credential Exposure in Argo CD by Intuit
CVE-2025-55190
What is CVE-2025-55190?
Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, has a vulnerability that allows API tokens with project-level permissions to access sensitive repository credentials, such as usernames and passwords. This issue arises through the project details API endpoint, permitting tokens with only standard application management permissions to retrieve sensitive information without explicit access to secrets. Notably, the problem extends beyond project-level permissions, affecting any token with project get permissions, including those with global permissions. The vulnerability affects Argo CD versions 2.13.0 to 2.13.8, 2.14.0 to 2.14.15, 3.0.0 to 3.0.12, and 3.1.0-rc1 to 3.1.1. A fix has been implemented in versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2, making it crucial for users to upgrade to safeguard sensitive information.
Affected Version(s)
argo-cd >= 2.13.0, < 2.13.9 < 2.13.0, 2.13.9
argo-cd >= 2.14.0, < 2.14.16 < 2.14.0, 2.14.16
argo-cd >= 3.0.0, < 3.0.14 < 3.0.0, 3.0.14