DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-786Q-9HCG-V9FF: CVE-2025-55190: Critical Information Disclosure in Argo CD Project API

#security #cve #cybersecurity

CVE-2025-55190: Critical Information Disclosure in Argo CD Project API

Vulnerability ID: GHSA-786Q-9HCG-V9FF
CVSS Score: 9.9
Published: 2025-09-04

Argo CD versions 2.13.0 through 3.1.1 suffer from a critical information disclosure vulnerability (CVSS 9.9) in the Project Details API endpoint. Authenticated attackers with standard project-level read access can bypass intended RBAC restrictions to extract plain-text Git repository passwords and Kubernetes cluster bearer tokens.

TL;DR

Authenticated users with basic projects, get permissions can retrieve unsanitized, plain-text credentials for connected Kubernetes clusters and Git repositories via the /api/v1/projects/{project}/detailed API endpoint due to a missing object sanitization step.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.9 (CRITICAL)
  • EPSS Score: 7.12%
  • Impact: High (Confidentiality, Integrity, Availability)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Argo CD
  • Argo CD: 2.13.0 - 2.13.8 (Fixed in: 2.13.9)
  • Argo CD: 2.14.0 - 2.14.15 (Fixed in: 2.14.16)
  • Argo CD: 3.0.0 - 3.0.12 (Fixed in: 3.0.14)
  • Argo CD: 3.1.0-rc1 - 3.1.1 (Fixed in: 3.1.2)

Code Analysis

Commit: e8f8610

Fix for CVE-2025-55190 implementing whitelist sanitization for Repository and Cluster objects in GetDetailedProject API handler.

Exploit Details

  • GitHub (ProjectDiscovery): Nuclei template for detecting plain-text credentials in the Argo CD detailed project endpoint response.

Mitigation Strategies

  • Upgrade Argo CD to a patched version (2.13.9, 2.14.16, 3.0.14, 3.1.2).
  • Rotate all credentials stored in Argo CD associated with Kubernetes clusters and Git repositories.
  • Audit and restrict Argo CD RBAC configurations to limit the assignment of projects, get permissions.

Remediation Steps:

  1. Identify the current version of Argo CD deployed in the environment.
  2. Update the container image tags or Helm chart versions to point to a patched release (e.g., v3.0.14).
  3. Deploy the updated Argo CD instance.
  4. Inventory all Git repository credentials and Kubernetes cluster tokens managed by Argo CD.
  5. Revoke and regenerate all inventoried credentials at their respective sources (Git provider, Kubernetes clusters).
  6. Update Argo CD with the newly generated credentials.
  7. Review the argocd-rbac-cm ConfigMap to ensure minimal privilege assignment for API tokens and users.

References

Read the full report for GHSA-786Q-9HCG-V9FF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)