CVE-2025-55191
published 2025-09-30CVE-2025-55191: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1…
PriorityP430medium5.3CVSS 3.1
AVNACHPRLUINSUCNINAH
EPSS
0.44%
35.2th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | — | — |
| argoproj | argo_cd | >= 2.1.0 < 2.14.20 | 2.14.20 |
| argoproj | argo_cd | >= 3.0.0 < 3.0.19 | 3.0.19 |
| argoproj | argo_cd | >= 3.1.0 < 3.1.8 | 3.1.8 |
| github.com | argoproj_argo-cd_v2 | >= 2.1.0 < 2.14.20 | 2.14.20 |
| github.com | argoproj_argo-cd_v3 | >= 3.0.0-rc1 < 3.0.19 | 3.0.19 |
| github.com | argoproj_argo-cd_v3 | >= 3.1.0-rc1 < 3.1.8 | 3.1.8 |
| github.com | argoproj_argo-cd_v3 | >= 3.2.0-rc1 < 3.2.0-rc2 | 3.2.0-rc2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3: Argo CD race condition leading to crash
vendor_redhat·2025-09-30·CVSS 6.5
CVE-2025-55191 [MEDIUM] CWE-362 github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3: Argo CD race condition leading to crash
github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3: Argo CD race condition leading to crash
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. At
OSV
Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd
osv·2025-10-23
CVE-2025-55191 Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd
Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd
Repository Credentials Race Condition Crashes Argo CD Server in github.com/argoproj/argo-cd
GHSA
Repository Credentials Race Condition Crashes Argo CD Server
ghsa·2025-09-30
CVE-2025-55191 [MEDIUM] CWE-362 Repository Credentials Race Condition Crashes Argo CD Server
Repository Credentials Race Condition Crashes Argo CD Server
### Summary
A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.
### Details
The vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepoCred` function. The issue manifests as a concurrent map access panic:
```
concurrent map read and map write
...
goroutine 1104 [running]:
github.com/argoproj/argo-cd/v2/util/db.(*secretsRepositoryBackend).secretToRepoCred(0xc000e50ea8?, 0xc000c65540)
/go/src/github.com/argoproj/argo-cd/util/db/repository_secrets.go:404 +0x31e
```
The race condition occurs due to:
1. Concurrent repository
OSV
Repository Credentials Race Condition Crashes Argo CD Server
osv·2025-09-30
CVE-2025-55191 [MEDIUM] Repository Credentials Race Condition Crashes Argo CD Server
Repository Credentials Race Condition Crashes Argo CD Server
### Summary
A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.
### Details
The vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepoCred` function. The issue manifests as a concurrent map access panic:
```
concurrent map read and map write
...
goroutine 1104 [running]:
github.com/argoproj/argo-cd/v2/util/db.(*secretsRepositoryBackend).secretToRepoCred(0xc000e50ea8?, 0xc000c65540)
/go/src/github.com/argoproj/argo-cd/util/db/repository_secrets.go:404 +0x31e
```
The race condition occurs due to:
1. Concurrent repository
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-30
Published