CVE-2025-55190

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-55190
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55190.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55190
Aliases
Downstream
Related
Published
2025-09-04T22:37:52Z
Modified
2025-11-09T19:56:50.604518Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Argo CD: Project API Token Exposes Repository Credentials
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: p, role/user, projects, get, *, allow. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

Database specific 
{
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
347f221adba5599ef4d5f12ee572b2c17d01db4d
Fixed
a70b2293a06be06dbb5fb30d0925331e72a6de14
Database specific 
{
    "versions": [
        {
            "introduced": "2.13.0"
        },
        {
            "fixed": "2.13.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
4745e08d4fbd9b115e208880eac9a63119a8821c
Fixed
2bb617d02a7d888acaa3544862d3d174ea510816
Database specific 
{
    "versions": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
e98f483bfd5781df2592fef1aeed1148f150d9c9
Fixed
5a4ef23d96676d13e991ce970d88ba868728ff89
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
320f46f06beaf75f9c406e3a47e2e09d36e2047a
Fixed
791b036d983452402ed4aa0c96a7a9d47842871c
Database specific 
{
    "versions": [
        {
            "introduced": "3.1.0-rc1"
        },
        {
            "fixed": "3.1.2"
        }
    ]
}

Affected versions

v2.*

v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.13.7
v2.13.8
v2.14.0
v2.14.1
v2.14.10
v2.14.11
v2.14.12
v2.14.13
v2.14.14
v2.14.15
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.14.8
v2.14.9

v3.*

v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.1.0-rc4
v3.1.1