Argo CD repository credential exposure security flaw (CVE-2025-55190)

Vulnerability

First reported

05.09.2025 18:30

Last updated

05.09.2025 18:30

Happening score

H score 25

1 unique sources, 1 articles

Summary

Hide ▲

The Argo CD vulnerability CVE-2025-55190 lets low-privileged API tokens retrieve repository usernames and passwords from project endpoints, exposing credentials across all versions up to 2.13.0. It is rated CVSS v3 10.0 and requires only a valid token with project-level get permissions, not unauthenticated access.

Timeline

05.09.2025 18:30 2 articles · 8mo ago

Argo CD flaw exposes repository credentials through project API tokens

Initial Disclosure
Argo CD has a newly disclosed authorization flaw, CVE-2025-55190, that lets API tokens with low project-level get permissions access project endpoints and retrieve repository usernames and passwords. The issue affects all versions up to 2.13.0, requires a valid Argo CD API token, and can expose credentials that may be reused to clone private codebases, inject malicious manifests, or pivot to other resources.
Show sources

Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30

Max severity Argo CD API flaw leaks repository credentials — www.bleepingcomputer.com — 05.09.2025 18:30
Open in new tab

Summary

Timeline

Argo CD flaw exposes repository credentials through project API tokens