Critical Argo CD API Flaw Exposes Repository Credentials to Attackers
A major security flaw has been discovered in Argo CD, a popular open-source tool used for Kubernetes GitOps deployments.
The vulnerability allows project-level API tokens to expose sensitive repository credentials, such as usernames and passwords, to attackers. The issue has been classified as critical with a CVSS score of 9.8/10 and is tracked as CVE-2025-55190.
The flaw was publicly disclosed three days ago by security researcher crenshaw-dev, who coordinated the report along with other community contributors.
The vulnerability affects Argo CD versions starting from 2.2.0-rc1 and has now been patched in versions v3.1.2, v3.0.14, v2.14.16, and v2.13.9.
Details of the Vulnerability
The flaw exists in the Project API endpoint (/api/v1/projects/project/detailed). API tokens with project-level permissions, such as those typically used for synchronization or automation tasks, can unintentionally access repository credentials.
| CVE ID | CVE-2025-55190 |
| Title | Argo CD Project API Token Exposes Repository Credentials |
| Severity | Critical (9.8/10) |
This happens even if the tokens do not explicitly have permissions to view secrets.
Under normal security logic, repository credentials should only be exposed to accounts or roles explicitly permitted to manage them.
However, in this case, a token with standard project permissions is able to retrieve sensitive details, including helm repository usernames and passwords.
This vulnerability impacts not only project-scoped roles but also global permissions. Tokens with generic projects get rights are equally exposed, significantly expanding the attack surface.
A proof-of-concept shows that creating a token with automation roles and calling the project details API returns sensitive repository information.
The output contains repository entries with usernames and passwords in plain text, allowing attackers to pivot into broader system compromise.
Security experts warn that attackers exploiting this flaw could misuse repository credentials to tamper with deployments, introduce malicious images, or disrupt the software supply chain.
Since exploitation requires only low privileges and no user interaction, its risk profile is extremely high.
Patches and Mitigation
The Argo CD team has released security patches in multiple branches. Users are strongly advised to upgrade to one of the patched releases immediately:
- v3.1.2
- v3.0.14
- v2.14.16
- v2.13.9
Organizations unable to patch right away should rotate repository credentials and restrict access to API tokens until updates are applied.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Post Comment