CVE-2025-55190

Published Sep 4, 2025

Last updated 3 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55190 is a vulnerability affecting Argo CD, a GitOps continuous delivery tool for Kubernetes. The vulnerability resides in versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The vulnerability allows API tokens with project-level permissions to retrieve sensitive repository credentials, such as usernames and passwords, through the project details API endpoint. This occurs even when the token only has standard application management permissions and no explicit access to secrets. The issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.9
Impact score: 6
Exploitability score: 3.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-200

Hype score: Not currently trending

References