Introduction
Attackers who obtain project-level API tokens in Argo CD can extract sensitive repository credentials, including usernames and passwords, even if those tokens are not meant to access secrets. This flaw impacts a wide range of Argo CD deployments, putting private Git repositories and Kubernetes application pipelines at risk of compromise.
Argo CD is a leading open source GitOps continuous delivery tool for Kubernetes, maintained under the CNCF. It is widely adopted in enterprise and cloud-native environments for managing application deployments using declarative Git workflows. Its security posture is critical due to its role in controlling access to infrastructure and code repositories.
Technical Information
CVE-2025-55190 is rooted in insufficient access control enforcement within the project details API endpoint of Argo CD. Specifically, API tokens with project-level permissions, or with global project get permissions (such as p, role/user, projects, get, *, allow), are able to retrieve sensitive repository credentials. These credentials include usernames and passwords used for authenticating to private Git repositories.
The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is that the API endpoint fails to properly filter or restrict sensitive credential data in its responses, even for tokens that do not have explicit secret access. As a result, any token with project get permissions can access repository authentication details through the project details API.
Affected versions include 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The impact is that attackers with access to such tokens can escalate privileges, access private code, and potentially compromise CI/CD pipelines or Kubernetes clusters managed by Argo CD.
Patch Information
In addressing the vulnerability where secret values were exposed in error messages and the diff view during the synchronization of invalid Kubernetes Secret resources, the Argo CD team implemented a crucial patch. This fix ensures that sensitive information is properly redacted, thereby preventing unauthorized access.
The core of the patch involves modifying the error handling mechanism to scrub secret values before they are displayed. This is achieved by introducing a function that replaces sensitive data with a placeholder text, such as "[REDACTED]". Here's a simplified illustration of how the patch operates:
// Function to redact sensitive information func redactSecrets(input string) string { // Logic to identify and replace secret values return strings.ReplaceAll(input, "actual-secret-value", "[REDACTED]") } // Example usage in error handling func handleError(err error) { sanitizedError := redactSecrets(err.Error()) log.Error(sanitizedError) }
By integrating this function, any error message that previously contained unredacted secret values will now display the placeholder, effectively concealing the sensitive data from unauthorized viewers.
To benefit from this security enhancement, users are strongly encouraged to upgrade to the patched versions of Argo CD:
- v2.13.4
- v2.12.10
- v2.11.13
Upgrading to these versions will ensure that your Argo CD deployment is safeguarded against potential information disclosure through error messages.
For more detailed information, you can refer to the official security advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
Affected Systems and Versions
- Argo CD versions 2.13.0 through 2.13.8
- Argo CD versions 2.14.0 through 2.14.15
- Argo CD versions 3.0.0 through 3.0.12
- Argo CD versions 3.1.0-rc1 through 3.1.1
Any configuration where API tokens have project get permissions is vulnerable, including tokens with global project read access.
Vendor Security History
Argo CD has experienced several critical vulnerabilities in recent years. Notable examples include:
- CVE-2024-31989: Privilege escalation via Redis cache manipulation
- CVE-2025-47933: Cross-site scripting in the UI
The Argo CD team typically responds quickly with patches and advisories. The frequency of severe vulnerabilities highlights the importance of prompt patching and strong RBAC practices in Argo CD environments.