FKIE_CVE-2025-55191

Vulnerability from fkie_nvd - Published: 2025-09-30 23:15 - Updated: 2025-10-07 13:11
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
References
security-advisories@github.comhttps://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7Patch
security-advisories@github.comhttps://github.com/argoproj/argo-cd/pull/6103Issue Tracking
security-advisories@github.comhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9Vendor Advisory
Impacted products
Vendor Product Version
argoproj argo_cd *
argoproj argo_cd *
argoproj argo_cd *
argoproj argo_cd 3.2.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "789A8BF2-A057-44C9-96AC-EEAEBA826F8A",
              "versionEndExcluding": "2.14.20",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
              "versionEndExcluding": "3.0.19",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
              "versionEndExcluding": "3.1.8",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
    },
    {
      "lang": "es",
      "value": "Argo CD es una herramienta de entrega continua declarativa, GitOps para Kubernetes. Las versiones entre 2.1.0 y 2.14.19, 3.2.0-rc1, 3.1.0-rc1 hasta 3.1.7, y 3.0.0-rc1 hasta 3.0.18 contienen una condici\u00f3n de carrera en el manejador de credenciales del repositorio que puede causar que el servidor Argo CD entre en p\u00e1nico y falle cuando se realizan operaciones concurrentes en la misma URL del repositorio. La vulnerabilidad se encuentra en numerosos manejadores relacionados con el repositorio en el archivo util/db/repository_secrets.go. Se requiere un token de API v\u00e1lido con permisos de recurso de repositorios (acciones de creaci\u00f3n, actualizaci\u00f3n o eliminaci\u00f3n) para activar la condici\u00f3n de carrera. Esta vulnerabilidad causa que todo el servidor Argo CD falle y quede no disponible. Los atacantes pueden activar repetida y continuamente la condici\u00f3n de carrera para mantener un estado de denegaci\u00f3n de servicio, interrumpiendo todas las operaciones GitOps. Este problema se soluciona en las versiones 2.14.20, 3.2.0-rc2, 3.1.8 y 3.0.19."
    }
  ],
  "id": "CVE-2025-55191",
  "lastModified": "2025-10-07T13:11:21.697",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-09-30T23:15:29.533",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/argoproj/argo-cd/pull/6103"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.