Sensitive Credential Exposure in Argo CD by Intuit
CVE-2025-55190

10CRITICAL

Key Information:

Vendor

Argoproj

Status
Argo-cd
Vendor
CVE Published:
4 September 2025

Badges

πŸ“ˆ Score: 501πŸ“° News Worthy

What is CVE-2025-55190?

CVE-2025-55190 is a vulnerability found in Argo CD, a widely used continuous delivery tool designed to facilitate GitOps workflows for Kubernetes environments. This vulnerability affects specific versions of Argo CD (2.13.0 to 2.13.8, 2.14.0 to 2.14.15, 3.0.0 to 3.0.12, and 3.1.0-rc1 to 3.1.1) and involves the improper handling of API tokens. Specifically, tokens with project-level permissions that should only have application management capabilities can inadvertently retrieve sensitive repository credentials, including usernames and passwords, through the project details API endpoint. This exposes critical information even to tokens that lack explicit access rights to secrets, thereby broadening the risk of credential leakage. The vulnerability has been remedied in subsequent updates, making it essential for organizations using affected versions to upgrade to mitigate potential security threats.

Potential impact of CVE-2025-55190

  1. Unauthorized Access to Sensitive Data: The exposure of repository credentials can allow malicious actors to gain unauthorized access to sensitive repositories, leading to the potential theft or manipulation of vital information and assets.

  2. Increased Attack Surface: By enabling API tokens with limited permissions to access secret credentials, this vulnerability increases the attack surface for potential exploitation, making it easier for attackers to pivot within the environment and escalate privileges.

  3. Compliance and Regulatory Risks: Organizations may face compliance issues and regulatory penalties due to the mishandling of sensitive credentials, which could undermine trust and lead to reputational damage.

Affected Version(s)

argo-cd >= 2.13.0, < 2.13.9 < 2.13.0, 2.13.9

argo-cd >= 2.14.0, < 2.14.16 < 2.14.0, 2.14.16

argo-cd >= 3.0.0, < 3.0.14 < 3.0.0, 3.0.14

News Articles

favicon imageBleepingComputer

Max severity Argo CD API flaw leaks repository credentials

An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project.

References

https://github.com/argoproj/argo-cd/security/advisories/G...
x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/e8f86101f53786...
x_refsource_MISC

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-55190 : Sensitive Credential Exposure in Argo CD by Intuit