Article illustration 1

A critical API vulnerability in Argo CD—the Kubernetes-native GitOps tool powering deployments at Google, IBM, Adobe, and other tech titans—is exposing repository credentials to attackers with minimal permissions. Rated a perfect 10.0 CVSS score, CVE-2025-55190 shatters isolation safeguards, letting low-privileged tokens retrieve usernames, passwords, and access keys tied to Git repositories.

How the Breach Unfolds

Attackers with even basic project get permissions can exploit the flaw to harvest credentials via Argo CD's project details API endpoint. As the project's GitHub bulletin warns:

"API tokens should require explicit permission to access sensitive credential information... Standard project permissions should not grant access to repository secrets."

This bypass enables:
- Cloning of private codebases
- Injection of malicious Kubernetes manifests
- Downstream infrastructure compromise via credential reuse
- Supply chain attacks targeting critical deployments

Why This Threat Resonates

Argo CD orchestrates mission-critical workloads for finance (BlackRock, Capital One), cloud providers (Google, Red Hat), and enterprise software giants. With compromised credentials, attackers gain keys to the kingdom:

Impact Chain:
1. Low-privileged token acquired (e.g., via phishing/misconfiguration)
2. Exploit retrieves repo credentials via vulnerable API endpoint
3. Private code stolen/manipulated → supply chain poisoning

Though authentication is required, the sheer breadth of vulnerable tokens—including those with global projects/get permissions—dramatically lowers the attack barrier. Researcher Ashish Goyal's discovery underscores systemic risks in permission granularity for DevOps tools.

The Path to Mitigation

Patched versions (Argo CD 3.1.2, 3.0.14, 2.14.16, 2.13.9) now enforce explicit secret-access permissions. Organizations must:
1. Immediately upgrade Argo CD instances
2. Audit project-level token permissions
3. Rotate exposed repository credentials

This incident spotlights the cascading dangers of permission over-provisioning in CI/CD ecosystems. As GitOps reshapes cloud-native deployment, securing the pipeline’s crown jewels—credentials—isn’t just best practice; it’s existential.

Source: BleepingComputer