Get a Demo
Under Attack?
GHSA-cxm3-wv7p-598c Nx Build System Supply-Chain Compromise-2

CVE-2025-55190: Argo CD Project API Token Exposes Repository Credentials

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Avital Harel, Moshe Hassan September 04, 2025

A critical vulnerability was disclosed in Argo CD, a popular GitOps continuous delivery tool. This flaw allows project-level API tokens to retrieve sensitive repository credentials such as usernames and passwords, even when those tokens do not have explicit permissions to access secrets.

Overview

Argo CD uses project-level tokens to automate deployment workflows and manage applications.
Due to improper access control in the Project Details API endpoint (/api/v1/projects/{project}/detailed), tokens with only basic project permissions could query this endpoint and receive all repository credentials linked to the project.

This vulnerability affects not only project-scoped tokens, but any token with projects,get permissions, including global roles. Attackers who gain access to such a token could harvest repository secrets and potentially escalate privileges across environments.

Affected Versions

The issue affects multiple branches of Argo CD:

  • Argo CD v2 (Go module github.com/argoproj/argo-cd/v2):
    • Versions ≥ 2.13.0 and < 2.13.9; and ≥ 2.14.0 and < 2.14.16 are vulnerable. Patches available in 2.13.9 and 2.14.16.
  • Argo CD v3 (Go module github.com/argoproj/argo-cd/v3):
    •  Versions < 3.0.14; and versions ≥ 3.1.0‑rc1 and < 3.1.2 are vulnerable. Patches released in 3.0.14 and 3.1.2 

When “Get Project” Gets Too Much

The root of this vulnerability lies in Argo CD’s get permission for projects. This permission, which should simply allow users or automation to view basic project details, unintentionally opens the door to sensitive repository credentials.

When a token with get access calls the /api/v1/projects/{project}/detailed endpoint, it doesn’t just return metadata about the project,  it also includes plain-text usernames and passwords for all repositories associated with that project. This means that even tokens designed for limited tasks, like syncing applications or reading configurations, can be exploited to steal secrets and gain deeper control over the deployment pipeline.

This misalignment between intended behavior and actual exposure is what makes CVE-2025-55190 so dangerous. It turns what should be a safe read-only permission into a critical point of compromise.

Reproduction Steps

1. Generate a token with project-level permissions:

p, proj:myProject:project-automation-role, applications, sync, myProject/*, allow
p, proj:myProject:project-automation-role, applications, action/argoproj.io/Rollout/*, myProject/*, allow
p, proj:myProject:project-automation-role, applications, get, myProject/*, allow

2. Call the project detail endpoint:

curl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" 
"https://argocd.example.com/api/v1/projects/myProject/detailed"

3. Observe that the response includes repository credentials:

Screenshot-2025-09-04-at-1.42.41-PM-1024x238

Why This Matters

  • Even tokens with seemingly limited project-scoped privileges can be used to steal sensitive credentials.
  • These credentials could be leveraged to access or manipulate source repositories, leading to potential supply chain attacks or full compromise of the deployment environment.
  • Organizations may believe these tokens are safe for automation; this vulnerability invalidates that assumption.

This issue is especially dangerous because tokens are often distributed across pipelines and automation scripts, making them difficult to track and rotate quickly.

Remediation Steps

Immediate Action

Upgrade to a patched Argo CD version:

  • v2: Upgrade to 2.13.9 or 2.14.16
  • v3: Upgrade to 3.0.14 or 3.1.2

Short-Term Mitigation

  • Restrict the use of project-level API tokens wherever possible.
  • Limit exposure of the /api/v1/projects/{project}/detailed endpoint to trusted accounts only.

Long-Term Defense

  • Adopt a least privilege approach to token creation.
  • Implement runtime detection for abnormal API token usage.
  • Use secrets management solutions to secure sensitive data.

How Upwind Protects Against CVE-2025-55190

Upwind provides runtime visibility and detection to catch improper access of sensitive APIs like the Project Details endpoint:

  • Runtime detection via eBPF: Captures unexpected API calls to sensitive endpoints and flags unusual patterns.
  • Vulnerability scanning: Identifies workloads running vulnerable versions of Argo CD.
  • Risk prioritization: Helps teams focus on exposed tokens or workloads with excessive privileges.

By combining runtime monitoring with least-privilege enforcement, Upwind reduces the blast radius of secrets leakage and prevents escalation from compromised tokens. To learn more about how Upwind protects your environment or for assistance with CVE-2025-55190 reach out to us at [email protected].

401 Authorization Required

401 Authorization Required


nginx
Contents

Further Reading

Superhuman AI

Security AI Needs an Honest Scoreboard: What It’s Superhuman At, and Where It Comes Up Short

If you follow AI at all, you know the leaderboards. Every few weeks a model takes the top spot, and we all check where our favorite landed. But a leaderboard only tells you who's ahead, and it stays quiet about where any of those models still come up short. Which, conveniently, is the part that…
Focus Mode

Find What Matters with Upwind Focus Mode

Focus Mode is now available in the Upwind platform, giving security teams a faster, more focused way to work. Instead of navigating across the platform, you can switch to Focus Mode to slice and dice the Upwind platform by Vulnerability Management, Cloud Security Posture, Attack Surface Management, Administration, or Threats, and starting next week, AI…
Early Advisories

Introducing Early Advisories: Turn Emerging Threats into Action

We’re excited to introduce Early Advisories as part of the Upwind platform. Powered by Upwind's security research team, Early Advisories notify customers about emerging threats, including zero-days and supply chain attacks, before they receive a CVE identifier. Early Advisories are published directly into the Vulnerabilities module alongside CVE-based findings and automatically correlated with your live…