An Argo CD vulnerability allows API tokens, even the API with low project-level allows to reach the closing points and regain all the repository credentials associated with the project.
Defended, tracked under Cve-2025-55190The CVSS V3 rates the maximum severity of 10.0 with a score, and allows to bypass the separation mechanisms used to protect sensitive credential information.
The attackers holding those credentials can then use them to clones private codebase, inject malicious manifests, try to compromise a downstream compromise, or use pivot for other resources where similar credentials are reused.
Argo CD is a Kubernets-Environment Continuous Periny (CD) and GITOPS tools used by many organizations, including large enterprises such as Adobe, Google, IBM, INTUIT, RED HAT, Capital One and Blackrock, which use it to handle large scale, to handle a large scale.
The newly discovered vulnerability affects all versions of the Argo CD to 2.13.0.
“Argo CD API token with project-level permissions The project details API are capable of reclaiming sensitive repository credentials (user names, passwords) through API Closing Point, even when the tokens only have only standard application management permissions and no clear access to mystery,” Bulletin reads Published on Project’s Github.
“API tokens must require clear permission to access sensitive credential information,” adds the bulletin to another part, given that “standard project permissions should not provide access to repository secrets.”
Disclosure indicates that low-level tokens can retrieve user names and passwords of a repository.
The attack still requires a valid Argo CD API token, so it is not exploited by informal users. However, low-authorized users can use them to get access to sensitive data that should not usually be accessible.
“This vulnerability not only affects project-level permissions. Any token with the project is also weak, such as global permissions such as: P, Roll/User, Projects, Gate, Gate, *, allow,” Argo project has warned.
Due to the detailed width of the low-considering tokens taking advantage of this defect, the opportunity for the danger actors to gain access to the tokens increases.
Given the widespread deployment of Argo CD in production groups by major enterprises, direct credible exposure and low barrier for exploitation makes the defects particularly dangerous, possibly the code theft, forced recovery and leading to the supply chain attacks.
Ashish Goyal discovered the CVE-2025-55190 blame, and it has been fixed It is recommended to transfer the administrators of the potentially affected systems to one of these versions as soon as possible in the Argo CD versions.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
