Login Sign Up

CVE-2025-23216

6.8 MEDIUM

📋 TL;DR

Argo CD versions before v2.13.4, v2.12.10, and v2.11.13 expose Kubernetes Secret values in error messages and diff views when invalid Secret resources are synced from Git repositories. Any user with read access to Argo CD can view exposed secret data after a malicious or accidental commit triggers a sync. This affects organizations using vulnerable Argo CD versions for GitOps deployments.

💻 Affected Systems

Products:
  • Argo CD
Versions: All versions before v2.13.4, v2.12.10, and v2.11.13
Operating Systems: All platforms running Argo CD
Default Config Vulnerable: ⚠️ Yes
Notes: Requires write access to Git repository and read access to Argo CD. All deployments using vulnerable versions are affected.

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive Kubernetes secrets (API keys, passwords, tokens) are exposed to all Argo CD users, leading to credential theft, lateral movement, and full cluster compromise.

🟠

Likely Case

Accidental exposure of secret values through invalid configuration commits, allowing unauthorized users to view sensitive data in error logs.

🟢

If Mitigated

Limited exposure with strict repository access controls and monitoring, but still risks credential leakage to authorized users.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but exposed secrets could be accessed via web interface.
🏢 Internal Only: HIGH - Internal users with read access can view sensitive secrets, enabling privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires write access to repository and ability to trigger sync. Simple to execute once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.13.4, v2.12.10, or v2.11.13

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Argo CD using Helm: 'helm upgrade argocd argo/argo-cd --version 2.13.4'. 3. Restart Argo CD components. 4. Verify version with 'argocd version'.

🔧 Temporary Workarounds

Restrict Repository Write Access

all

Limit who can commit to Git repositories used by Argo CD to prevent malicious/accidental invalid Secret commits.

Disable Error Message Exposure

linux

Configure Argo CD to suppress detailed error messages in UI and logs for Secret sync failures.

argocd-cm ConfigMap: set 'server.disable.error.message.details: true'

🧯 If You Can't Patch

  • Implement strict RBAC to limit repository write access to trusted users only
  • Enable audit logging for all Secret sync operations and monitor for failures

🔍 How to Verify

Check if Vulnerable:

Check Argo CD version: 'argocd version' or 'kubectl get deployment argocd-server -o yaml | grep image'

Check Version:

argocd version --client

Verify Fix Applied:

Confirm version is v2.13.4, v2.12.10, or v2.11.13 or later. Test by creating invalid Secret and verifying no data exposure in error messages.

📡 Detection & Monitoring

Log Indicators:

  • Error messages containing 'Secret' with exposed base64 data
  • Sync failures for Secret resources with detailed error output

Network Indicators:

  • Unusual API calls to retrieve error details for Secret syncs

SIEM Query:

source="argo-cd" AND ("invalid Secret" OR "secret sync failed") AND message="*base64*"

📊 Metadata

CVE ID: CVE-2025-23216
CVSS v3 Score: 6.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-200
EPSS Score: 0.14% exploit probability (34.5th percentile)
Published: January 30, 2025
Last Updated: June 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23216, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)