CVE-2025-23216

Argo CD does not scrub secret values from patch errors

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

NVD
RedHat

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.

A vulnerability was found in Argo CD where secret values can be exposed in error messages when an invalid Kubernetes Secret resource is synced from a repository. An attacker must have write access to the repository and any user with read access can view the exposed data.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Multiple

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-01-13 CVE Reserved
2025-01-30 CVE Published
2025-02-12 CVE Updated
2025-04-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (5)

URL	Tag	Source
https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107	X_refsource_misc
https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v	X_refsource_confirm
https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-23216	2025-02-26
https://bugzilla.redhat.com/show_bug.cgi?id=2342987	2025-02-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				>= 2.13.0 < 2.13.4 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.13.0 < 2.13.4"		en		Affected
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				>= 2.12.0 < 2.12.10 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.12.0 < 2.12.10"		en		Affected
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				< 2.11.13 Search vendor "Argoproj" for product "Argo-cd" and version " < 2.11.13"		en		Affected