CVE-2025-55190
published 2025-09-04CVE-2025-55190: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and…
PriorityP183critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.52%
90.3th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 2.14.0 < 2.14.16 | 2.14.16 |
| argoproj | argo_cd | >= 2.2.0 < 2.13.9 | 2.13.9 |
| argoproj | argo_cd | >= 3.0.0 < 3.0.14 | 3.0.14 |
| argoproj | argo_cd | >= 3.1.0 < 3.1.2 | 3.1.2 |
| github.com | argoproj_argo-cd_v2 | >= 2.13.0 < 2.13.9 | 2.13.9 |
| github.com | argoproj_argo-cd_v2 | >= 2.14.0 < 2.14.16 | 2.14.16 |
| github.com | argoproj_argo-cd_v3 | >= 0 < 3.0.14 | 3.0.14 |
| github.com | argoproj_argo-cd_v3 | >= 3.1.0-rc1 < 3.1.2 | 3.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/session
url/api/v1/projects/default/detailed
otherregex: '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
yara
response body contains: '"repositories":' AND '"username":' AND '"password":'
- →Monitor for GET requests to the /api/v1/projects/{project}/detailed endpoint, especially from tokens with only standard project-level or application management permissions. Responses containing 'repositories', 'username', and 'password' fields indicate credential exposure. ↗
- →Any Argo CD API token bearing global RBAC policy 'p, role/user, projects, get, *, allow' is sufficient to exploit this vulnerability — audit all tokens with 'projects get' permissions. ↗
- →The vulnerability is not exploitable by unauthenticated users; a valid Argo CD API token is required. Focus detection on authenticated low-privileged token usage against the project details endpoint. ↗
- →Patch commit e8f86101f5378662ae6151ce5c3a76e9141900e8 on the argoproj/argo-cd repository can be used to diff and understand the exact code path changed, aiding in writing targeted detection rules.
- ·The Nuclei template requires valid ArgoCD credentials (username/password) to test the vulnerability — it is not an unauthenticated check.
- ·Affected versions span a wide range: v2.2.0-rc1 and later through 2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, and 3.1.0-rc1–3.1.1. Fixed versions are 2.13.9, 2.14.16, 3.0.14, and 3.1.2.
- ·Red Hat notes that exploitation requires some privileges (valid login credentials to create a token, or a stolen token), and attackers can only tamper with projects associated with the API token — not gain full system control. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
vendor_redhat9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd
osv·2025-09-08
CVE-2025-55190 Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd
Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd
Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd
GHSA
Argo CD's Project API Token Exposes Repository Credentials
ghsa·2025-09-04
CVE-2025-55190 [CRITICAL] CWE-200 Argo CD's Project API Token Exposes Repository Credentials
Argo CD's Project API Token Exposes Repository Credentials
### Summary
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.
Component: `Project API (/api/v1/projects/{project}/detailed)`
## Vulnerability Details
### Expected Behavior
API tokens should require explicit permission to access sensitive credential information. Standard project permissions should not grant access to repository secrets.
### Actual Behavior
API tokens with basic project permissions can retrieve all repository credentials associated with a project through the detailed project API endpoint.
OSV
Argo CD's Project API Token Exposes Repository Credentials
osv·2025-09-04
CVE-2025-55190 [CRITICAL] Argo CD's Project API Token Exposes Repository Credentials
Argo CD's Project API Token Exposes Repository Credentials
### Summary
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.
Component: `Project API (/api/v1/projects/{project}/detailed)`
## Vulnerability Details
### Expected Behavior
API tokens should require explicit permission to access sensitive credential information. Standard project permissions should not grant access to repository secrets.
### Actual Behavior
API tokens with basic project permissions can retrieve all repository credentials associated with a project through the detailed project API endpoint.
VulnCheck
argoproj argo_cd Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 9.9
CVE-2025-55190 [CRITICAL] argoproj argo_cd Exposure of Sensitive Information to an Unauthorized Actor
argoproj argo_cd Exposure of Sensitive Information to an Unauthorized Actor
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Red Hat
github.com/argoproj/argo-cd: Project API Token Exposes Repository Credentials
vendor_redhat·2025-09-04·CVSS 9.9
CVE-2025-55190 [CRITICAL] CWE-522 github.com/argoproj/argo-cd: Project API Token Exposes Repository Credentials
github.com/argoproj/argo-cd: Project API Token Exposes Repository Credentials
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.
No detection rules found.
Nuclei
ArgoCD Project API Token Repository Credentials Exposure
nuclei·CVSS 9.9
CVE-2025-55190 [CRITICAL] ArgoCD Project API Token Repository Credentials Exposure
ArgoCD Project API Token Repository Credentials Exposure
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials
(usernames, passwords) through the project details API endpoint, even when the token only has standard
application management permissions and no explicit access to secrets. This vulnerability affects versions
v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12,
and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions.
Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
Template:
id: CVE-2025-55190
info:
name: ArgoCD Project API Token Repository Credentials Exposure
author: nukun
2025-09-04
Published
Exploited in the wild