CVE-2025-55190: Argo CD Project API Token Exposes Repository Credentials
A critical vulnerability was disclosed in Argo CD, a popular GitOps continuous delivery tool. This flaw allows project-level API tokens to retrieve sensitive repository credentials such as usernames and passwords, even when those tokens do not have explicit permissions to access secrets.
Overview
Argo CD uses project-level tokens to automate deployment workflows and manage applications.
Due to improper access control in the Project Details API endpoint (/api/v1/projects/{project}/detailed), tokens with only basic project permissions could query this endpoint and receive all repository credentials linked to the project.
This vulnerability affects not only project-scoped tokens, but any token with projects,get permissions, including global roles. Attackers who gain access to such a token could harvest repository secrets and potentially escalate privileges across environments.
Affected Versions
The issue affects multiple branches of Argo CD:
- Argo CD v2 (Go module github.com/argoproj/argo-cd/v2):
- Versions
≥ 2.13.0and< 2.13.9; and≥ 2.14.0and< 2.14.16are vulnerable. Patches available in2.13.9and2.14.16.
- Versions
- Argo CD v3 (Go module github.com/argoproj/argo-cd/v3):
- Versions
< 3.0.14; and versions≥ 3.1.0‑rc1and< 3.1.2are vulnerable. Patches released in3.0.14and3.1.2
- Versions
When “Get Project” Gets Too Much
The root of this vulnerability lies in Argo CD’s get permission for projects. This permission, which should simply allow users or automation to view basic project details, unintentionally opens the door to sensitive repository credentials.
When a token with get access calls the /api/v1/projects/{project}/detailed endpoint, it doesn’t just return metadata about the project, it also includes plain-text usernames and passwords for all repositories associated with that project. This means that even tokens designed for limited tasks, like syncing applications or reading configurations, can be exploited to steal secrets and gain deeper control over the deployment pipeline.
This misalignment between intended behavior and actual exposure is what makes CVE-2025-55190 so dangerous. It turns what should be a safe read-only permission into a critical point of compromise.
Reproduction Steps
1. Generate a token with project-level permissions:
2. Call the project detail endpoint:
3. Observe that the response includes repository credentials:
Why This Matters
- Even tokens with seemingly limited project-scoped privileges can be used to steal sensitive credentials.
- These credentials could be leveraged to access or manipulate source repositories, leading to potential supply chain attacks or full compromise of the deployment environment.
- Organizations may believe these tokens are safe for automation; this vulnerability invalidates that assumption.
This issue is especially dangerous because tokens are often distributed across pipelines and automation scripts, making them difficult to track and rotate quickly.
Remediation Steps
Immediate Action
Upgrade to a patched Argo CD version:
- v2: Upgrade to
2.13.9or2.14.16 - v3: Upgrade to
3.0.14or3.1.2
Short-Term Mitigation
- Restrict the use of project-level API tokens wherever possible.
- Limit exposure of the
/api/v1/projects/{project}/detailedendpoint to trusted accounts only.
Long-Term Defense
- Adopt a least privilege approach to token creation.
- Implement runtime detection for abnormal API token usage.
- Use secrets management solutions to secure sensitive data.
How Upwind Protects Against CVE-2025-55190
Upwind provides runtime visibility and detection to catch improper access of sensitive APIs like the Project Details endpoint:
- Runtime detection via eBPF: Captures unexpected API calls to sensitive endpoints and flags unusual patterns.
- Vulnerability scanning: Identifies workloads running vulnerable versions of Argo CD.
- Risk prioritization: Helps teams focus on exposed tokens or workloads with excessive privileges.
By combining runtime monitoring with least-privilege enforcement, Upwind reduces the blast radius of secrets leakage and prevents escalation from compromised tokens. To learn more about how Upwind protects your environment or for assistance with CVE-2025-55190 reach out to us at [email protected].
