Headline

GHSA-47g2-qmh2-749v: Argo CD does not scrub secret values from patch errors

Impact

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.

The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

Patches

A patch for this vulnerability is available in the following Argo CD versions:

v2.13.4
v2.12.10
v2.11.13

Workarounds

There is no workaround other than upgrading.

References

Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca

7 hours ago

ghsa

Open in Source

#vulnerability #git #kubernetes

GitHub Advisory Database
GitHub Reviewed
CVE-2025-23216

Argo CD does not scrub secret values from patch errors

Moderate severity GitHub Reviewed Published Jan 30, 2025 in argoproj/argo-cd • Updated Jan 30, 2025

Package

gomod github.com/argoproj/argo-cd/v2 (Go)

Affected versions

>= 2.13.0, < 2.13.4

>= 2.12.0, < 2.12.10

< 2.11.13

Patched versions

2.13.4

2.12.10

2.11.13

Impact

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.

Patches

A patch for this vulnerability is available in the following Argo CD versions: