CVE-2025-55190: 
Argo CD vulnerability analysis and mitigation

CVE-2025-55190 is a critical vulnerability discovered in Argo CD, a declarative GitOps continuous delivery tool for Kubernetes. The vulnerability affects versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. The issue was disclosed on September 4, 2025, and allows API tokens with project-level permissions to access sensitive repository credentials through the project details API endpoint (GitHub Advisory, NVD).

The vulnerability exists in the Project API (/api/v1/projects/{project}/detailed) endpoint, where API tokens with basic project permissions can retrieve all repository credentials associated with a project, even when the token only has standard application management permissions and no explicit access to secrets. This includes tokens with global permissions such as 'p, role/user, projects, get, *, allow'. The vulnerability has been assigned a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows unauthorized access to sensitive repository credentials, including usernames and passwords, potentially compromising the security of connected repositories and enabling further unauthorized access to protected resources. This exposure of sensitive credentials could lead to unauthorized access to source code repositories and deployment environments (Security Online).

The vulnerability has been patched in versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2. Organizations running affected versions of Argo CD should immediately upgrade to the patched versions. The fix includes sanitizing the project API response to remove sensitive information, including credentials of project-scoped repositories and clusters (GitHub Advisory).