An Argo CD vulnerability permits API tokens with even low project-level get permissions to entry API endpoints and retrieve all repository credentials related to the challenge.
The flaw, tracked beneath CVE-2025-55190, is rated with the utmost severity rating of 10.0 in CVSS v3, and permits bypassing isolation mechanisms used to guard delicate credential info.
Attackers holding these credentials might then use them to clone personal codebases, inject malicious manifests, try downstream compromise, or pivot to different assets the place the identical credentials are reused.
Argo CD is a Kubernetes-native steady deployment (CD) and GitOps instrument utilized by quite a few organizations, together with giant enterprises reminiscent of Adobe, Google, IBM, Intuit, Purple Hat, Capital One, and BlackRock, which use it for dealing with large-scale, mission-critical deployments.
The newly found vulnerability impacts all variations of Argo CD as much as 2.13.0.
“Argo CD API tokens with project-level permissions are in a position to retrieve delicate repository credentials (usernames, passwords) by way of the challenge particulars API endpoint, even when the token solely has normal software administration permissions and no express entry to secrets and techniques,” reads the bulletin revealed on the challenge’s GitHub.
“API tokens ought to require express permission to entry delicate credential info,” provides the bulletin on one other half, additionally noting that “Customary challenge permissions mustn’t grant entry to repository secrets and techniques.”
The disclosure demonstrates that low-level tokens can retrieve a repository’s username and password.
The assault nonetheless requires a legitimate Argo CD API token, so it’s not exploitable by unauthenticated customers. Nevertheless, low-privileged customers might use them to realize entry to delicate knowledge that ought to not normally be accessible.
“This vulnerability doesn’t solely have an effect on project-level permissions. Any token with challenge get permissions can also be weak, together with world permissions reminiscent of:Â p, function/consumer, initiatives, get, *, enable,” warns the Argo Undertaking.
Because of the vast breadth of low-privileged tokens that may exploit this flaw, the chance for risk actors to realize entry to a token will increase.
Given Argo CD’s widespread deployment in manufacturing clusters by main enterprises, the direct credential publicity and low barrier to exploitation make the flaw significantly harmful, probably resulting in code theft, extortion, and provide chain assaults.
Ashish Goyal found the CVE-2025-55190 flaw, and it has been fastened in Argo CD variations 3.1.2, 3.0.14, 2.14.16, and a pair of.13.9, so directors of doubtless impacted methods are advisable to maneuver to one in all these variations as quickly as potential.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
