An Argo CD vulnerability permits API tokens with even low project-level get permissions to entry API endpoints and retrieve all repository credentials related to the undertaking.
The flaw, tracked underneath CVE-2025-55190, is rated with the utmost severity rating of 10.0 in CVSS v3, and permits bypassing isolation mechanisms used to guard delicate credential info.
Attackers holding these credentials might then use them to clone non-public codebases, inject malicious manifests, try downstream compromise, or pivot to different assets the place the identical credentials are reused.
Argo CD is a Kubernetes-native steady deployment (CD) and GitOps software utilized by quite a few organizations, together with massive enterprises similar to Adobe, Google, IBM, Intuit, Pink Hat, Capital One, and BlackRock, which use it for dealing with large-scale, mission-critical deployments.
The newly found vulnerability impacts all variations of Argo CD as much as 2.13.0.
“Argo CD API tokens with project-level permissions are in a position to retrieve delicate repository credentials (usernames, passwords) by way of the undertaking particulars API endpoint, even when the token solely has normal software administration permissions and no specific entry to secrets and techniques,” reads the bulletin printed on the undertaking’s GitHub.
“API tokens ought to require specific permission to entry delicate credential info,” provides the bulletin on one other half, additionally noting that “Normal undertaking permissions shouldn’t grant entry to repository secrets and techniques.”
The disclosure demonstrates that low-level tokens can retrieve a repository’s username and password.
The assault nonetheless requires a sound Argo CD API token, so it isn’t exploitable by unauthenticated customers. Nevertheless, low-privileged customers might use them to achieve entry to delicate knowledge that ought to not often be accessible.
“This vulnerability doesn’t solely have an effect on project-level permissions. Any token with undertaking get permissions can be weak, together with international permissions similar to:Â p, function/consumer, tasks, get, *, permit,” warns the Argo Undertaking.
As a result of vast breadth of low-privileged tokens that may exploit this flaw, the chance for risk actors to achieve entry to a token will increase.
Given Argo CD’s widespread deployment in manufacturing clusters by main enterprises, the direct credential publicity and low barrier to exploitation make the flaw notably harmful, doubtlessly resulting in code theft, extortion, and provide chain assaults.
Ashish Goyal found the CVE-2025-55190 flaw, and it has been fastened in Argo CD variations 3.1.2, 3.0.14, 2.14.16, and a pair of.13.9, so directors of probably impacted programs are beneficial to maneuver to one in all these variations as quickly as potential.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
