A critical security flaw, tracked as CVE-2025-55190, has been disclosed in Argo CD, the Kubernetes-native GitOps and continuous delivery platform. The vulnerability enables API tokens with even limited project-level permissions to retrieve sensitive repository credentials, including plaintext usernames and passwords, through the Project Details API endpoint.
Overview
Argo CD is widely used to automate deployments, synchronize applications, and manage large-scale Kubernetes environments. The flaw stems from improper authorization checks in the /api/v1/projects/{project}/detailed endpoint. Tokens designed for routine project management tasks, such as syncing applications or viewing configurations, can unexpectedly query this endpoint and obtain credentials for all repositories tied to the project.
The problem is not confined to project-scoped tokens. Any token-carrying projects, get permissions—including global roles—can be exploited. This misconfiguration turns a read-only action into a gateway for secret exfiltration, undermining the platform’s core security model.
Severity and Impact
Rated with the highest possible CVSS v3 score of 10.0, the vulnerability effectively bypasses isolation mechanisms intended to safeguard repository credentials. An attacker holding a valid but low-privileged API token can harvest sensitive data without explicit authorization.
With stolen credentials, attackers could:
- Clone and leak private codebases.
- Inject malicious manifests into the CI/CD pipeline.
- Compromise downstream systems or supply chains.
- Exploit reused credentials to pivot across infrastructure.
Given Argo CD’s adoption across major enterprises—including Adobe, Google, IBM, Intuit, Red Hat, Capital One, and BlackRock—the risk is amplified. The flaw’s low barrier to exploitation and broad token exposure make it a prime vector for source code theft, extortion, and large-scale compromises.
Affected Versions
The vulnerability impacts multiple branches of Argo CD:
- Argo CD v2 (github.com/argoproj/argo-cd/v2)
- Vulnerable: ≥ 2.13.0 and < 2.13.9; and ≥ 2.14.0 and < 2.14.16
- Fixed: 2.13.9, 2.14.16
- Vulnerable: ≥ 2.13.0 and < 2.13.9; and ≥ 2.14.0 and < 2.14.16
- Argo CD v3 (github.com/argoproj/argo-cd/v3)
- Vulnerable: < 3.0.14; and ≥ 3.1.0-rc1 and < 3.1.2
- Fixed: 3.0.14, 3.1.2
- Vulnerable: < 3.0.14; and ≥ 3.1.0-rc1 and < 3.1.2
Exploitation
Exploitation is straightforward. With a valid token holding project-level permissions, an attacker can:
- Generate or acquire a token to get project rights.
- Call the Project Details endpoint.
- Receive a JSON response containing a repositories object that lists plaintext usernames and passwords.
While unauthenticated users cannot trigger the vulnerability, the sheer number of low-level tokens distributed across automation scripts and CI/CD pipelines increases the likelihood of exposure. Tokens thought to be safe for automation are suddenly a liability.
Why It Matters
- Low privileges become high risk: Tokens intended for basic operations can be weaponized to steal secrets.
- Supply chain exposure: Compromised repositories could allow malicious code to be inserted into pipelines.
- Difficult recovery: Tokens are often embedded in automation, complicating revocation and rotation.
- Enterprise scale: With Argo CD’s presence in critical production clusters, the fallout could be widespread.
This misalignment between intended functionality and actual behavior makes CVE-2025-55190 one of the most severe threats currently facing Argo CD users.
Remediation
Immediate Action
- Upgrade to a patched release:
- v2: 2.13.9 or 2.14.16
- v3: 3.0.14 or 3.1.2
- v2: 2.13.9 or 2.14.16
Short-Term Mitigation
- Minimize reliance on project-level API tokens.
- Restrict access to the /api/v1/projects/{project}/detailed endpoint to trusted accounts only.
Long-Term Defense
- Enforce least privilege policies when issuing tokens.
- Deploy runtime monitoring to flag anomalous API activity.
- Use dedicated secrets management systems to reduce credential exposure.
Conclusion
Discovered by Ashish Goyal, CVE-2025-55190 highlights how overlooked access controls can escalate into enterprise-scale security crises. With credential exposure, supply chain compromise, and code theft all on the table, immediate patching is paramount. Organizations are urged to upgrade without delay and adopt stronger runtime defenses to safeguard their deployment pipelines.
