CVE-2025-55190
📋 TL;DR
This CVE allows API tokens with project-level permissions in Argo CD to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even without explicit secrets access. It affects Argo CD versions 2.13.0-2.13.8, 2.14.0-2.14.15, 3.0.0-3.0.12, and 3.1.0-rc1-3.1.1. Any organization using these vulnerable Argo CD versions is at risk of credential exposure.
💻 Affected Systems
- Argo CD
📦 What is this software?
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to repository credentials, potentially compromising source code, deploying malicious containers, or accessing other connected systems using those credentials.
Likely Case
Internal users or compromised tokens expose repository credentials, leading to unauthorized access to source code repositories and potential supply chain attacks.
If Mitigated
With proper network segmentation and minimal permissions, impact is limited to specific repositories rather than full infrastructure compromise.
🎯 Exploit Status
Requires valid API token with project permissions, but exploitation is straightforward via API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.9, 2.14.16, 3.0.14, 3.1.2
Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
Restart Required: Yes
Instructions:
1. Identify current Argo CD version. 2. Upgrade to patched version matching your major version. 3. Restart Argo CD components. 4. Verify fix by testing API endpoint behavior.
🔧 Temporary Workarounds
Restrict Project Permissions
allTemporarily remove or restrict 'projects, get' permissions from all tokens until patching.
# Review and modify RBAC configurations to remove vulnerable permissions
# Example: Remove 'p, role/user, projects, get, *, allow' from argocd-rbac-cm ConfigMap
🧯 If You Can't Patch
- Rotate all repository credentials stored in Argo CD immediately
- Implement network controls to restrict API access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check Argo CD version and test if API tokens with project permissions can retrieve repository credentials via project details endpoint.Check Version:
argocd version --clientVerify Fix Applied:
After patching, verify that API tokens with only project permissions can no longer retrieve repository credentials through the project details API.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to project details endpoint from unexpected tokens
- Multiple failed credential usage attempts from new IPs
Network Indicators:
- Unusual outbound connections to repository services from Argo CD pods
SIEM Query:
source="argo-cd" AND (api_endpoint="/api/v1/projects" OR message="project details") AND status=200