An Argo CD vulnerability permits API tokens with even low project-level get permissions to entry API endpoints and retrieve all repository credentials related to the challenge.
The flaw, tracked underneath CVE-2025-55190, is rated with the utmost severity rating of 10.0 in CVSS v3, and permits bypassing isolation mechanisms used to guard delicate credential data.
Attackers holding these credentials may then use them to clone personal codebases, inject malicious manifests, try downstream compromise, or pivot to different assets the place the identical credentials are reused.
Argo CD is a Kubernetes-native steady deployment (CD) and GitOps software utilized by quite a few organizations, together with massive enterprises corresponding to Adobe, Google, IBM, Intuit, Purple Hat, Capital One, and BlackRock, which use it for dealing with large-scale, mission-critical deployments.
The newly found vulnerability impacts all variations of Argo CD as much as 2.13.0.
“Argo CD API tokens with project-level permissions are capable of retrieve delicate repository credentials (usernames, passwords) by the challenge particulars API endpoint, even when the token solely has normal utility administration permissions and no specific entry to secrets and techniques,” reads the bulletin printed on the challenge’s GitHub.
“API tokens ought to require specific permission to entry delicate credential data,” provides the bulletin on one other half, additionally noting that “Normal challenge permissions shouldn’t grant entry to repository secrets and techniques.”
The disclosure demonstrates that low-level tokens can retrieve a repository’s username and password.
The assault nonetheless requires a sound Argo CD API token, so it’s not exploitable by unauthenticated customers. Nonetheless, low-privileged customers may use them to realize entry to delicate information that ought to not normally be accessible.
“This vulnerability doesn’t solely have an effect on project-level permissions. Any token with challenge get permissions can also be susceptible, together with world permissions corresponding to: p, function/person, initiatives, get, *, enable,” warns the Argo Mission.
As a result of broad breadth of low-privileged tokens that may exploit this flaw, the chance for risk actors to realize entry to a token will increase.
Given Argo CD’s widespread deployment in manufacturing clusters by main enterprises, the direct credential publicity and low barrier to exploitation make the flaw notably harmful, doubtlessly resulting in code theft, extortion, and provide chain assaults.
Ashish Goyal found the CVE-2025-55190 flaw, and it has been mounted in Argo CD variations 3.1.2, 3.0.14, 2.14.16, and a couple of.13.9, so directors of probably impacted programs are really useful to maneuver to one in every of these variations as quickly as attainable.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
