Argo CD does not scrub secret values from patch errors
GHSA-47g2-qmh2-749v · BIT-argo-cd-2025-23216 · CVE-2025-23216 · GO-2025-3433
Published · Modified
Description
Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
- v2.13.4
- v2.12.10
- v2.11.13
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
References
- WEB https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
- WEB https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-23216
- WEB https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107
- WEB https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
- PACKAGE https://github.com/argoproj/argo-cd
Ready to move
Start Securing
Free, no credit card | First findings in minutes