CVE-2025-55191

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.1.0 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.0.18 Argo CD versions 3.1.0-rc1 through 3.1.7 Argo CD version 3.2.0-rc1

Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a race condition within its repository credentials handler. This condition arises when concurrent operations are performed on the same repository URL, potentially causing the Argo CD server to panic and crash. The issue resides in repository-related handlers within the util/db/repository secrets.go file, specifically functions like secretToRepoCred. The race condition stems from concurrent map access without proper mutex protection, triggered by repository credential operations (create, update, or delete) alongside Kubernetes informer re-syncs and background watchers. Exploitation requires a valid API token with repositories resource permissions, allowing attackers to repeatedly trigger the condition and maintain a denial-of-service state, disrupting GitOps operations.

Recommendations Update to Argo CD version 2.14.20 or later. Update to Argo CD version 3.0.19 or later. Update to Argo CD version 3.1.8 or later. Update to Argo CD version 3.2.0-rc2 or later.