An Argo CD vulnerability permits API tokens with even low project-level get permissions to entry API endpoints and retrieve all repository credentials related to the venture.
The flaw, tracked underneath CVE-2025-55190, is rated with the utmost severity rating of 10.0 in CVSS v3, and permits bypassing isolation mechanisms used to guard delicate credential data.
Attackers holding these credentials might then use them to clone non-public codebases, inject malicious manifests, try downstream compromise, or pivot to different sources the place the identical credentials are reused.
Argo CD is a Kubernetes-native steady deployment (CD) and GitOps software utilized by quite a few organizations, together with massive enterprises reminiscent of Adobe, Google, IBM, Intuit, Crimson Hat, Capital One, and BlackRock, which use it for dealing with large-scale, mission-critical deployments.
The newly found vulnerability impacts all variations of Argo CD as much as 2.13.0.
“Argo CD API tokens with project-level permissions are capable of retrieve delicate repository credentials (usernames, passwords) via the venture particulars API endpoint, even when the token solely has commonplace software administration permissions and no express entry to secrets and techniques,” reads the bulletin revealed on the venture’s GitHub.
“API tokens ought to require express permission to entry delicate credential data,” provides the bulletin on one other half, additionally noting that “Customary venture permissions mustn’t grant entry to repository secrets and techniques.”
The disclosure demonstrates that low-level tokens can retrieve a repository’s username and password.
The assault nonetheless requires a legitimate Argo CD API token, so it isn’t exploitable by unauthenticated customers. Nonetheless, low-privileged customers might use them to realize entry to delicate information that ought to not often be accessible.
“This vulnerability doesn’t solely have an effect on project-level permissions. Any token with venture get permissions can also be susceptible, together with international permissions reminiscent of: p, position/person, tasks, get, *, enable,” warns the Argo Challenge.
Because of the vast breadth of low-privileged tokens that may exploit this flaw, the chance for menace actors to realize entry to a token will increase.
Given Argo CD’s widespread deployment in manufacturing clusters by main enterprises, the direct credential publicity and low barrier to exploitation make the flaw notably harmful, probably resulting in code theft, extortion, and provide chain assaults.
Ashish Goyal found the CVE-2025-55190 flaw, and it has been mounted in Argo CD variations 3.1.2, 3.0.14, 2.14.16, and a pair of.13.9, so directors of doubtless impacted methods are advisable to maneuver to certainly one of these variations as quickly as potential.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
