CVE-2025-23216
published 2025-01-30CVE-2025-23216: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error…
PriorityP434medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.46%
36.4th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | < 2.11.13 | 2.11.13 |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 2.11.13 | 2.11.13 |
| argoproj | argo_cd | >= 2.12.0 < 2.12.10 | 2.12.10 |
| argoproj | argo_cd | >= 2.13.0 < 2.13.4 | 2.13.4 |
| github.com | argoproj_argo-cd | 0 – 1.8.7 | — |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.11.13 | 2.11.13 |
| github.com | argoproj_argo-cd_v2 | >= 2.12.0 < 2.12.10 | 2.12.10 |
| github.com | argoproj_argo-cd_v2 | >= 2.13.0 < 2.13.4 | 2.13.4 |
CVSS provenance
nvdv3.16.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
osv·2025-02-04
CVE-2025-23216 Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd
GHSA
Argo CD does not scrub secret values from patch errors
ghsa·2025-01-30
CVE-2025-23216 [MEDIUM] CWE-200 Argo CD does not scrub secret values from patch errors
Argo CD does not scrub secret values from patch errors
### Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
### Patches
A patch for this vulnerability is available in the following Argo CD versions:
- v2.13.4
- v2.12.10
- v2.11.13
### Workarounds
There is no workaround other than upgrading.
### References
Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5
OSV
Argo CD does not scrub secret values from patch errors
osv·2025-01-30
CVE-2025-23216 [MEDIUM] Argo CD does not scrub secret values from patch errors
Argo CD does not scrub secret values from patch errors
### Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
### Patches
A patch for this vulnerability is available in the following Argo CD versions:
- v2.13.4
- v2.12.10
- v2.11.13
### Workarounds
There is no workaround other than upgrading.
### References
Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5
Red Hat
argocd: Argo CD does not scrub secret values from patch errors
vendor_redhat·2025-01-30·CVSS 6.8
CVE-2025-23216 [MEDIUM] CWE-209 argocd: Argo CD does not scrub secret values from patch errors
argocd: Argo CD does not scrub secret values from patch errors
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
A vulnerability was found in Argo CD where secret values can be exposed in error messages when an invalid Kubernetes Secret resource
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-30
Published