CVE-2025-55190 is a critical vulnerability affecting multiple versions of Argo CD, a popular GitOps continuous delivery tool for Kubernetes environments. The flaw exists in versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. It allows API tokens with project-level permissions, including those with only standard application management rights and no explicit secret access, to retrieve sensitive repository credentials such as usernames and passwords via the project details API endpoint. This exposure extends beyond project-level tokens to any token with project get permissions, including global permissions like 'p, role/user, projects, get, *, allow'. The vulnerability arises due to improper access control and information disclosure (CWE-200) in the API endpoint, which fails to restrict sensitive data exposure based on token privileges. The flaw has a CVSS 3.1 base score of 10.0, indicating critical severity with network attack vector, low attack complexity, required privileges, no user interaction, and complete impact on confidentiality, integrity, and availability. Exploitation could lead to unauthorized disclosure of repository credentials, enabling attackers to access source code repositories, modify deployment configurations, or inject malicious code into Kubernetes deployments. The issue is fixed in Argo CD versions 2.13.9, 2.14.16, 3.0.14, and 3.1.2. No known exploits in the wild have been reported yet, but the critical nature and ease of exploitation make this a high-risk vulnerability for organizations using affected versions of Argo CD.

For European organizations leveraging Kubernetes and GitOps workflows with Argo CD, this vulnerability poses a significant risk. Exposure of repository credentials can lead to unauthorized access to source code and deployment pipelines, potentially resulting in supply chain attacks, data breaches, and service disruptions. Given the criticality of Kubernetes in cloud-native infrastructure, attackers could manipulate deployment manifests or inject malicious containers, compromising application integrity and availability. The breach of confidentiality could also expose sensitive intellectual property or customer data embedded in repositories. Organizations in sectors with stringent compliance requirements (e.g., finance, healthcare, critical infrastructure) face heightened regulatory and reputational risks. Additionally, the vulnerability's ability to be exploited remotely without user interaction increases the attack surface, especially in multi-tenant or hybrid cloud environments common in Europe. The lack of known exploits currently provides a window for mitigation, but the critical CVSS score underscores the urgency of patching to prevent potential targeted attacks.

European organizations should immediately audit their Argo CD deployments to identify affected versions and upgrade to patched releases (2.13.9, 2.14.16, 3.0.14, or 3.1.2). Beyond patching, organizations should enforce the principle of least privilege by reviewing and restricting API token permissions, ensuring tokens do not have unnecessary project get or global permissions. Implement strong authentication and authorization controls around Argo CD API access, including the use of short-lived tokens and regular token rotation. Monitor API access logs for anomalous requests to the project details endpoint that could indicate exploitation attempts. Employ network segmentation and firewall rules to limit access to Argo CD APIs only to trusted management networks. Integrate secrets management solutions external to Argo CD to reduce reliance on embedded repository credentials. Conduct regular security assessments and penetration tests focused on GitOps pipelines and Kubernetes deployment tools. Finally, educate DevOps teams about the risks of over-permissioned tokens and the importance of timely patching.