CRITICAL🇵🇱 Wersja polska

CVE-2025-55190

CVSS 9.9v3.1pub. 2025-09-04upd. 2025-09-19

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

🤖 AI Analysis
How it works

The API endpoint returning project details does not properly filter sensitive repository credential data before returning the response. An API token with the `projects, get` permission — at both project and global levels (e.g., `p, role/user, projects, get, *, allow`) — can retrieve full repository credentials associated with the project, despite not having explicit access to secrets granted. The error is classified as CWE-200 (exposure of sensitive information to unauthorized parties).

Impact

An attacker possessing any API token with project read permission can obtain usernames and passwords to source code repositories, which may lead to repository takeover, code theft, or lateral movement in the CI/CD infrastructure.

Mitigation & patch

Argo CD should be updated to version 2.13.9, 2.14.16, 3.0.14, or 3.1.2, in which the vulnerability has been fixed. Until the update is applied, it is recommended to audit granted API tokens and restrict `projects, get` permissions only to trusted entities.

Who is affected

Argo CD in versions 2.13.0–2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, and 3.1.0-rc1–3.1.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Argoproj Argo Cd

    APP
    Argoproj
    2.2.0 – 2.13.9 (bez)2.14.0 – 2.14.16 (bez)3.0.0 – 3.0.14 (bez)3.1.0 – 3.1.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-42880CRITICAL9.6PL ✓ten sam produkt

Argo CD: ujawnienie danych Secret Kubernetes przez endpoint ServerSideDiff

CVE-2025-47933CRITICAL9.0PL ✓ten sam produkt

XSS w Argo CD — wykonanie akcji w imieniu ofiary via API

CVE-2024-31989CRITICAL9.0PL ✓ten sam produkt

Argo CD: nieautoryzowany dostęp do Redis umożliwia privilege escalation

CVE-2024-21652CRITICAL9.8PL ✓ten sam produkt

Argo CD: Ominięcie ochrony przed brute force logowania

CVE-2024-28175CRITICAL9.0PL ✓ten sam produkt

Argo CD: XSS w adnotacjach linków umożliwia przejęcie uprawnień