Skip Navigation

September 8, 2025 |

Critical vulnerability affecting Argo CD API publicly disclosed

Loading table of contents...

On September 5, 2025, researchers publicly disclosed a critical vulnerability in Argo CD tracked as CVE-2025-55190.

Argo CD is a Kubernetes-native continuous deployment tool widely used in enterprise environments to manage application delivery through GitOps workflows. It is maintained under the Cloud Native Computing Foundation and adopted by organizations such as Adobe, Google, IBM, and Red Hat.

The vulnerability affects Argo CD versions:

  • 2.13.0 through 2.13.8,
  • 2.14.0 through 2.14.15,
  • 3.0.0 through 3.0.12, and
  • 3.1.0-rc1 through 3.1.1

On September 4, the maintainers of the Argo Project released versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2 to address the issue.

The flaw enables unauthorized access to sensitive repository credentials via the project details Application Programming Interface (API) endpoint. A threat actor could use a low-privileged token to extract credentials for private Git repositories, clone source code, inject malicious manifests, and pivot into downstream infrastructure.

In environments where credentials are reused across systems, this could lead to full compromise of Kubernetes clusters and continuous integration pipelines. This bypasses isolation mechanisms intended to protect sensitive data and undermines role-based access control configurations.

Researchers assigned a maximum severity rating of 10 out of 10 to this flaw. The US National Vulnerability Database lists a Common Vulnerability Scoring System (CVSS) v3.1 rating of 9.9.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

This vulnerability affects a core component of modern DevOps infrastructure: Argo CD often holds privileged access to source control, secrets management, and deployment automation. The low barrier to exploitation and the widespread use of Argo CD in production environments heighten the risk of supply chain compromise, data exfiltration, and lateral movement.

Administrators are advised to deploy the new Argo CD versions listed above, which include fixes that enforce stricter access control on the project details API endpoint. The patch modifies the API response logic to redact sensitive credential data unless the token has explicit secret access permissions.