cbcvebase.
CVE-2025-55191
published 2025-09-30

CVE-2025-55191: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1…

PriorityP430medium5.3CVSS 3.1
AVNACHPRLUINSUCNINAH
EPSS
0.44%
35.2th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Affected

12 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd
argoprojargo_cd>= 2.1.0 < 2.14.202.14.20
argoprojargo_cd>= 3.0.0 < 3.0.193.0.19
argoprojargo_cd>= 3.1.0 < 3.1.83.1.8
github.comargoproj_argo-cd_v2>= 2.1.0 < 2.14.202.14.20
github.comargoproj_argo-cd_v3>= 3.0.0-rc1 < 3.0.193.0.19
github.comargoproj_argo-cd_v3>= 3.1.0-rc1 < 3.1.83.1.8
github.comargoproj_argo-cd_v3>= 3.2.0-rc1 < 3.2.0-rc23.2.0-rc2

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.