Argo CD Patches Critical CVSS 10 Vulnerability Exposing Repository Credentials (CVE-2025-55190) A CyberDudeBivash enterprise incident & remediation brief

Executive summary

A max-severity flaw (CVSS 10.0) in Argo CD’s Project API allowed API tokens with only project “get” permissions to retrieve repository credentials (usernames & passwords) from the /api/v1/projects/{project}/detailed endpoint—even when those tokens had no explicit access to secrets. Fixed releases are 2.13.9, 2.14.16, 3.0.14, and 3.1.2; all earlier streams listed below are vulnerable. Administrators must patch, rotate repo credentials, and tighten RBAC immediately. GitHub+1NVDBleepingComputer

What happened & why it’s critical

Root cause: insufficient access-control enforcement in Argo CD’s Project Details API allowed tokens with project-level “get” permissions (including global policies like p, role/user, projects, get, *, allow) to receive repository connection objects that include usernames and passwords. GitHub
Impact: any user or automation bearing such a token could exfiltrate private Git/Helm repo credentials, enabling supply-chain compromise (repository tampering, secret reuse in other systems) across your GitOps estate. BleepingComputer
Affected versions: 2.13.0–2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, 3.1.0-rc1–3.1.1. Patched: 2.13.9, 2.14.16, 3.0.14, 3.1.2. NVDBleepingComputer
Severity: public advisories rate this max severity (CVSS 10) and report active scanning; treat as emergency. Daily CyberSecurity

Immediate risk to your environment

Repo takeovers / artifact poisoning: stolen credentials permit write access if tokens were tied to privileged repo accounts.
Pipeline pivoting: adversaries can alter Kubernetes manifests/Helm charts, inject backdoors, or roll out rogue workloads via GitOps.
Lateral movement: reused Git credentials may unlock other developer services (SCM, registries, CI/CD).

Confirm whether you’re exposed (15-minute triage)

Version check – if your Argo CD controllers aren’t ≥ 2.13.9 / 2.14.16 / 3.0.14 / 3.1.2, you’re in scope. NVD
RBAC sweep – look for project “get” grants to broad roles (e.g., role/user) and any API tokens issued to bots/CI that can read projects. GitHub
Access logs – inspect API server/audit logs for calls to /api/v1/projects/*/detailed from unusual users, service accounts, or external IPs over the last 90 days. GitHub

Hint (example Splunk query)
index=argocd sourcetype=apiserver method=GET uri_path="/api/v1/projects/*/detailed"

Contain, eradicate, recover (first 24–72 hours)

Patch

Upgrade Argo CD to 2.13.9 / 2.14.16 / 3.0.14 / 3.1.2 (or newer). Roll out to all clusters that host Argo CD components. NVDBleepingComputer

Credential rotation

Rotate all repository credentials configured in affected Projects (Git, Helm, OCI).
In SCM, invalidate tokens/personal access tokens, reset passwords, and review OAuth app authorizations.

RBAC hardening

Remove blanket rules like projects, get, * from generic user roles; grant least privilege per Project. GitHub
Use short-lived tokens for automation; prefer OIDC with scopes over long-lived tokens.

Network & egress controls

Restrict Argo CD controller egress to allow-listed repo endpoints; block unknown Git/Helm origins.
Enforce mTLS or deploy SSH-based repo access where feasible.

Forensics & monitoring

Review Git commit history/branch protections for unauthorized pushes since the vulnerable window.
Diff rendered manifests (Kustomize/Helm output) in recent syncs for unexpected images, init containers, or sidecars.

Long-term hardening (CyberDudeBivash blueprint)

Secret isolation: move repo credentials to scoped, per-project Secrets with read-only least privilege; avoid org-wide credentials.
Admission control: use OPA/Gatekeeper or Kyverno to block Argo Projects that reference global repo creds.
Immutable supply chain: adopt sigstore/cosign and image policy to require signed images and block unsigned rollouts.
Zero-trust GitOps: terminate Argo CD behind SSO, require MFA, and force IP-allowlisting for API access.
Observability: instrument dashboards for Project API usage, sub-1-day token age reports, and drift alerts on RBAC.

Communication to leadership (one-slide briefing)

What: Argo CD API exposed repository credentials through a Project details endpoint.
Why it matters: credentials enable repo tampering → production compromise.
Status: patching underway; credentials rotated; RBAC tightened; no confirmed malicious changes (pending full audit).
Next: implement secret scoping, enable CI-driven drift detection, enforce signed artifact policies.

Indicators & signals to watch

API calls to /api/v1/projects/{project}/detailed by service accounts that ordinarily don’t manage Projects. GitHub
SCM logs showing token use from new IPs or failed authentications just before successful pushes.
Argo audit events: unexpected AppOfApps changes, syncs to new Git URLs, or Projects modified without a corresponding change request.

References (authoritative)

NVD entry with affected & fixed versions. NVD
GitHub Security Advisory (GHSA-786q-9hcg-v9ff) with root-cause details and endpoint. GitHub+1
BleepingComputer—fix versions & severity. BleepingComputer
SecurityOnline.info—CVSS 10 coverage and remediation summary. Daily CyberSecurity

CyberDudeBivash verdict

This is a high-leverage secrets exposure in a central GitOps control plane. Treat CVE-2025-55190 as a supply-chain emergency: patch immediately, rotate credentials, and re-baseline trust in your repos and Projects. Build forward with least privilege, short-lived auth, and signed artifacts to reduce blast radius across clusters.

#ArgoCD #CVE202555190 #GitOps #KubernetesSecurity #SecretsManagement #SupplyChainSecurity #DevSecOps #RBAC #ZeroTrust #CyberDudeBivash

AI-PoweredCyber IntelligenceFor The Enterprise