A security flaw in Argo CD, the popular open-source GitOps tool for Kubernetes, has been targeted at the DevOps and cloud-native communities. Tracked as CVE-2025-55190, the vulnerability has been rated critical with a CVSS score of 9.8 out of 10, as it allows attackers to retrieve sensitive repository credentials, including usernames and passwords, through a project-level API token.
The flaw resides in the Project API endpoint (/api/v1/projects/{project}/detailed) of Argo CD. According to the official security advisory, API tokens assigned only basic project-level permissions were able to access repository credentials that should have been off-limits unless explicitly granted.
In simpler terms, even if a token was meant just for managing application sync or triggering rollouts, it could still be used to extract credentials for repositories, including Helm chart repositories, associated with the project. These credentials appeared in API responses, making them visible to anyone with token access.
Security researcher @crenshaw-dev, who coordinated the disclosure along with other contributors, made the vulnerability public three days ago. The bug was identified in Argo CD versions starting from 2.2.0-rc1, and patched updates have since been released in versions v3.1.2, v3.0.14, v2.14.16, and v2.13.9.
Further, the vulnerability was reported and coordinated by @crenshaw-dev, with credits also given to @ashishgoyal111, @ntammineni5, @34fathombelow, @alexmt, and @svghadi for identifying, reporting, and helping remediate the issue.
A Closer Look at CVE-2025-55190
The CVE-2025-55190 flaw is considered severe due to the combination of factors involved:
- Attack vector: Network
- Attack complexity: Low
- Privileges required: Low
- User interaction: None
- Scope: Changed
- Confidentiality/Integrity/Availability Impact: High
This essentially means an attacker with only minor access (e.g., an automation role token) and no user interaction could exploit this to obtain credentials and further compromise a Kubernetes environment.
The vulnerability isn’t limited to project-specific roles. Tokens with broader permissions, such as projects. get across the system is also affected. This greatly expands the potential attack surface, especially in large enterprise Kubernetes environments using Argo CD for continuous deployment.
Real-World Impact
A proof-of-concept shared in the security advisory showed how an attacker could exploit the flaw. By creating an API token with limited permissions and querying the /projects/{project}/detailed endpoint, the attacker receives a JSON response containing cleartext usernames and passwords for repositories:
“repositories”: [
{
“username”: “admin”,
“password”: “secret123”,
“type”: “helm”,
“name”: “test-helm-repo”,
“project”: “myProject”
}
]
The misuse of these credentials could enable attackers to alter application deployments, insert malicious container images, or interfere with the entire software supply chain. Given the widespread use of Argo CD in Kubernetes clusters.
Mitigation and Patching
The Argo CD team has issued immediate patches across multiple branches:
- v3.1.2
- v3.0.14
- v2.14.16
- v2.13.9
Users running affected versions should upgrade immediately. For organizations unable to apply updates right away, it’s advised to rotate all repository credentials, audit API token permissions, and limit API access until patches can be implemented.
