Race Condition Vulnerability in Argo CD Tool for Kubernetes
CVE-2025-55191

6.5MEDIUM

Key Information:

Vendor

Argoproj

Status
Argo-cd
Vendor
CVE Published:
30 September 2025

What is CVE-2025-55191?

Argo CD, a GitOps continuous delivery tool for Kubernetes, has a race condition vulnerability affecting several versions. When concurrent operations target the same repository URL, this flaw can cause the Argo CD server to panic and crash. The vulnerability arises in several repository-related handlers, specifically found in the util/db/repository_secrets.go file. To exploit this vulnerability, an attacker requires a valid API token with repository resource permissions, allowing them to create, update, or delete actions. The result is a denial-of-service attack, which disrupts all GitOps operations, leaving the server unavailable. This issue has been addressed in subsequent releases: 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19.

Affected Version(s)

argo-cd >= 2.1.0, < 2.14.20 < 2.1.0, 2.14.20

argo-cd = 3.2.0-rc1 = 3.2.0-rc1

argo-cd >= 3.1.0-rc1, < 3.1.8 < 3.1.0-rc1, 3.1.8

References

https://github.com/argoproj/argo-cd/security/advisories/G...
x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/pull/6103
x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/701bc50d01c752...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-55191 : Race Condition Vulnerability in Argo CD Tool for Kubernetes