Argo CD Patches Critical CVSS 10 Vulnerability Exposing Repository Credentials (CVE-2025-55190)
Ddos 
The Argo CD project has disclosed and patched a critical vulnerability (CVE-2025-55190, CVSS 10) affecting its popular GitOps continuous delivery platform for Kubernetes. The flaw, found in the Project API, allowed tokens with basic project-level permissions to retrieve sensitive repository credentials, including usernames and passwords.
According to the advisory, “Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.”
The issue lies in the /api/v1/projects/{project}/detailed endpoint, which failed to properly restrict access to sensitive data.
- Expected behavior: API tokens should only access repository secrets with explicit permission.
- Actual behavior: “API tokens with basic project permissions can retrieve all repository credentials associated with a project through the detailed project API endpoint.”
The vulnerability extended beyond project-level roles. As the advisory highlights, “Any token with project get permissions is also vulnerable, including global permissions such as: p, role/user, projects, get, , allow.”
Exploitation was straightforward. By creating an API token with only project automation roles (for actions like syncing or retrieving applications) and then calling the project details API, attackers could directly retrieve embedded repository credentials.
Example request:
Response (excerpt):
This effectively meant full credential exposure for repositories tied to the project.
The Argo CD team has released updates to address CVE-2025-55190 in the following versions:
- v3.1.2
- v3.0.14
- v2.14.16
- v2.13.9
All users are strongly urged to upgrade to the latest patched release.
Donate