cbcvebase.
CVE-2025-55190
published 2025-09-04

CVE-2025-55190: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and…

PriorityP183critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.52%
90.3th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

Affected

12 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd>= 2.14.0 < 2.14.162.14.16
argoprojargo_cd>= 2.2.0 < 2.13.92.13.9
argoprojargo_cd>= 3.0.0 < 3.0.143.0.14
argoprojargo_cd>= 3.1.0 < 3.1.23.1.2
github.comargoproj_argo-cd_v2>= 2.13.0 < 2.13.92.13.9
github.comargoproj_argo-cd_v2>= 2.14.0 < 2.14.162.14.16
github.comargoproj_argo-cd_v3>= 0 < 3.0.143.0.14
github.comargoproj_argo-cd_v3>= 3.1.0-rc1 < 3.1.23.1.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/session
url/api/v1/projects/default/detailed
otherregex: '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
otherp, role/user, projects, get, *, allow
yara
response body contains: '"repositories":' AND '"username":' AND '"password":'
  • Monitor for GET requests to the /api/v1/projects/{project}/detailed endpoint, especially from tokens with only standard project-level or application management permissions. Responses containing 'repositories', 'username', and 'password' fields indicate credential exposure.
  • Any Argo CD API token bearing global RBAC policy 'p, role/user, projects, get, *, allow' is sufficient to exploit this vulnerability — audit all tokens with 'projects get' permissions.
  • The vulnerability is not exploitable by unauthenticated users; a valid Argo CD API token is required. Focus detection on authenticated low-privileged token usage against the project details endpoint.
  • Patch commit e8f86101f5378662ae6151ce5c3a76e9141900e8 on the argoproj/argo-cd repository can be used to diff and understand the exact code path changed, aiding in writing targeted detection rules.
  • ·The Nuclei template requires valid ArgoCD credentials (username/password) to test the vulnerability — it is not an unauthenticated check.
  • ·Affected versions span a wide range: v2.2.0-rc1 and later through 2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, and 3.1.0-rc1–3.1.1. Fixed versions are 2.13.9, 2.14.16, 3.0.14, and 3.1.2.
  • ·Red Hat notes that exploitation requires some privileges (valid login credentials to create a token, or a stolen token), and attackers can only tamper with projects associated with the API token — not gain full system control.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
vendor_redhat9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.