Argo CD API Vulnerability Exposes Repository Credentials

First reported

05.09.2025 18:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical vulnerability in Argo CD, tracked as CVE-2025-55190, allows API tokens with low-level project permissions to retrieve all repository credentials associated with a project. This flaw, rated with a maximum severity score of 10.0 in CVSS v3, impacts all versions of Argo CD up to 2.13.0. The vulnerability enables attackers to clone private codebases, inject malicious manifests, or pivot to other resources where the same credentials are reused. Argo CD is used by numerous large enterprises, including Adobe, Google, IBM, and Capital One, for handling large-scale, mission-critical deployments. The flaw bypasses isolation mechanisms designed to protect sensitive credential information, potentially leading to code theft, extortion, and supply chain attacks.

Timeline

05.09.2025 18:30 1 articles · 27d ago

Argo CD API vulnerability (CVE-2025-55190) disclosed
A critical vulnerability in Argo CD, tracked as CVE-2025-55190, allows API tokens with low-level project permissions to retrieve all repository credentials associated with a project. This flaw, rated with a maximum severity score of 10.0 in CVSS v3, impacts all versions of Argo CD up to 2.13.0. The vulnerability enables attackers to clone private codebases, inject malicious manifests, or pivot to other resources where the same credentials are reused. Argo CD is used by numerous large enterprises, including Adobe, Google, IBM, and Capital One, for handling large-scale, mission-critical deployments.
Show sources

Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
Open in new tab

Information Snippets

The vulnerability, CVE-2025-55190, affects all versions of Argo CD up to 2.13.0.
First reported: 05.09.2025 18:30

1 source, 1 article
Show sources
- Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
API tokens with project-level get permissions can access sensitive repository credentials.
First reported: 05.09.2025 18:30

1 source, 1 article
Show sources
- Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
The flaw allows attackers to clone private codebases, inject malicious manifests, and pivot to other resources.
First reported: 05.09.2025 18:30

1 source, 1 article
Show sources
- Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
Argo CD is used by major enterprises, including Adobe, Google, IBM, and Capital One.
First reported: 05.09.2025 18:30

1 source, 1 article
Show sources
- Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
The vulnerability bypasses isolation mechanisms designed to protect sensitive credential information.
First reported: 05.09.2025 18:30

1 source, 1 article
Show sources
- Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30

Summary

Timeline

Argo CD API vulnerability (CVE-2025-55190) disclosed

Information Snippets