Exposed Repository Credentials Due to Vulnerability in Argo CD API
A significant security issue has been uncovered in Argo CD, a popular open-source continuous integration and continuous delivery (CI/CD) tool. The vulnerability, identified as CVE-2025-55190, stems from an improper authorization check in the Project API's endpoint.
The consequence of this vulnerability could be severe, potentially impacting the security of CI/CD pipelines. The JSON response from the API endpoint includes plaintext credentials for connected repositories, exposing a wide potential attack surface.
Exposed credentials can lead to source code theft, malicious code injection, and further development infrastructure compromise. The widened potential attack surface significantly increases due to more general-purpose tokens being potentially exploitable.
However, it's important to note that this issue is not confined to project-specific roles. Any token holding permissions, including those with broader global permissions, is considered vulnerable. Surprisingly, the actual behavior allows tokens with basic access to fetch this data, contrary to the expected behavior.
The expected behavior is that any request for sensitive information, like secrets, would require explicit, elevated permissions. In this case, API tokens with standard project-level permissions can retrieve all repository credentials associated with that project.
Fortunately, the Argo CD development team has addressed the vulnerability and released patches to mitigate the problem. Administrators are advised to upgrade to v3.1.2, v3.0.14, v2.14.16, or v2.13.9 to ensure proper permission checks on the API endpoint and reduce the risk.
Upgrading to a patched version ensures that the flaw in the project details API endpoint, which exposes usernames and passwords, is properly addressed. The Argo CD development team has also taken steps to improve the authorization checks in future updates to prevent similar issues from arising.
In conclusion, while the discovery of this vulnerability is concerning, the prompt response from the Argo CD team demonstrates their commitment to maintaining the security of their tool. It's crucial for administrators to keep their systems updated to protect against such threats.
