Fluid Attacks Database

Description

Argo CD does not scrub secret values from patch errors

Impact

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.

The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

Patches

A patch for this vulnerability is available in the following Argo CD versions:

v2.13.4

v2.12.10

v2.11.13

Workarounds

There is no workaround other than upgrading.

References

Fixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/argoproj/argo-cd/v2	>=2.13.0 <2.13.4 \|\| >=2.12.0 <2.12.10 \|\| >=0 <2.11.13	2.13.4, 2.12.10, 2.11.13
go	github.com/argoproj/argo-cd	>=0 <=1.8.7	-

Aliases

1. CVE-2025-232162. NVD-2025-232163. OSV-2025-232164. GHSA-47g2-qmh2-749v5. GHSA-274v-mgcv-cm8j6. GCVE-2025-23216

References

1. https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v2. https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j3. https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e41074. https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.