CVE-2025-55190
Published: 04 September 2025
Summary
CVE-2025-55190 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Argoproj Argo Cd. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent API tokens with project get permissions from retrieving sensitive repository credentials via the project details endpoint.
Limits API token privileges to the minimum necessary, reducing risk of low-privilege tokens exploiting the vulnerability to access secrets.
Mandates timely identification, reporting, and correction of the specific flaw in Argo CD exposing repository credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln is an authenticated info disclosure in public-facing Argo CD API enabling direct retrieval of repository credentials (T1552 Unsecured Credentials) via exploitation of the exposed endpoint (T1190 Exploit Public-Facing Application).
NVD Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords)…
more
through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
Deeper analysisAI
CVE-2025-55190 is a critical vulnerability (CVSS 3.1 score of 9.9) in Argo CD, a declarative GitOps continuous delivery tool for Kubernetes. It affects versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The flaw, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), enables API tokens with project-level permissions to retrieve sensitive repository credentials, including usernames and passwords, via the project details API endpoint. This exposure occurs even if the token only has standard application management permissions and no explicit access to secrets. Any token with project get permissions is vulnerable, including global permissions such as "p, role/user, projects, get, *, allow".
An attacker with low privileges (PR:L), such as a user holding a scoped API token for project get or related permissions, can exploit this over the network (AV:N) without user interaction (UI:N). Successful exploitation grants high-impact access to confidential data (C:H), with potential for integrity (I:H) and availability (A:H) disruptions due to the changed scope (S:C). The attacker can extract repository credentials, enabling unauthorized access to Git repositories integrated with Argo CD for deployment pipelines.
The vulnerability is addressed in Argo CD versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2. Security practitioners should upgrade immediately. Additional mitigation guidance and technical details are available in the GitHub security advisory at https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff and the fixing commit at https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8.
Details
- CWE(s)