CVE-2025-55190
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_cd | From 2.2.0 (inc) to 2.13.9 (exc) |
| argoproj | argo_cd | From 2.14.0 (inc) to 2.14.16 (exc) |
| argoproj | argo_cd | From 3.0.0 (inc) to 3.0.14 (exc) |
| argoproj | argo_cd | From 3.1.0 (inc) to 3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Argo CD allows API tokens with project-level permissions, or any token with project get permissions, to retrieve sensitive repository credentials such as usernames and passwords through the project details API endpoint. This happens even if the token only has standard application management permissions and no explicit access to secrets. It affects multiple versions of Argo CD and is fixed in later versions.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive repository credentials, which can compromise the security of your repositories and potentially allow attackers to gain further access or control over your Kubernetes deployments and infrastructure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Argo CD to one of the fixed versions: 2.13.9, 2.14.16, 3.0.14, or 3.1.2. Additionally, review and restrict API tokens with project get permissions to minimize exposure until the upgrade is applied.