Argo CD does not scrub secret values from patch errors
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cd/v2Go | >= 2.13.0, < 2.13.4 | 2.13.4 |
github.com/argoproj/argo-cd/v2Go | >= 2.12.0, < 2.12.10 | 2.12.10 |
github.com/argoproj/argo-cd/v2Go | < 2.11.13 | 2.11.13 |
github.com/argoproj/argo-cdGo | <= 1.8.7 | — |
Affected products
48- osv-coords47 versionspkg:apk/chainguard/argo-cd-2.11pkg:apk/chainguard/argo-cd-2.11-compatpkg:apk/chainguard/argo-cd-2.11-repo-serverpkg:apk/chainguard/argo-cd-2.12pkg:apk/chainguard/argo-cd-2.12-compatpkg:apk/chainguard/argo-cd-2.12-repo-serverpkg:apk/chainguard/argo-cd-2.13pkg:apk/chainguard/argo-cd-2.13-compatpkg:apk/chainguard/argo-cd-2.13-repo-serverpkg:apk/chainguard/argo-cd-2.14pkg:apk/chainguard/argo-cd-2.14-compatpkg:apk/chainguard/argo-cd-2.14-repo-serverpkg:apk/chainguard/argo-cd-fips-2.11pkg:apk/chainguard/argo-cd-fips-2.11-compatpkg:apk/chainguard/argo-cd-fips-2.11-repo-serverpkg:apk/chainguard/argo-cd-fips-2.12pkg:apk/chainguard/argo-cd-fips-2.12-compatpkg:apk/chainguard/argo-cd-fips-2.12-repo-serverpkg:apk/chainguard/argo-cd-fips-2.13pkg:apk/chainguard/argo-cd-fips-2.13-compatpkg:apk/chainguard/argo-cd-fips-2.13-repo-serverpkg:apk/chainguard/argo-cd-fips-2.14pkg:apk/chainguard/argo-cd-fips-2.14-compatpkg:apk/chainguard/argo-cd-fips-2.14-repo-serverpkg:apk/chainguard/argocd-image-updaterpkg:apk/chainguard/argocd-image-updater-compatpkg:apk/chainguard/argocd-image-updater-fipspkg:apk/wolfi/argo-cd-2.11pkg:apk/wolfi/argo-cd-2.11-compatpkg:apk/wolfi/argo-cd-2.11-repo-serverpkg:apk/wolfi/argo-cd-2.12pkg:apk/wolfi/argo-cd-2.12-compatpkg:apk/wolfi/argo-cd-2.12-repo-serverpkg:apk/wolfi/argo-cd-2.13pkg:apk/wolfi/argo-cd-2.13-compatpkg:apk/wolfi/argo-cd-2.13-repo-serverpkg:apk/wolfi/argo-cd-2.14pkg:apk/wolfi/argo-cd-2.14-compatpkg:apk/wolfi/argo-cd-2.14-repo-serverpkg:apk/wolfi/argocd-image-updaterpkg:apk/wolfi/argocd-image-updater-compatpkg:bitnami/argo-cdpkg:golang/github.com/argoproj/argo-cdpkg:golang/github.com/argoproj/argo-cd/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0+ 46 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.15.2-r3
- (no CPE)range: < 0.15.2-r3
- (no CPE)range: < 0.15.2-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.15.2-r3
- (no CPE)range: < 0.15.2-r3
- (no CPE)range: < 2.13.4
- (no CPE)range: <= 1.8.7
- (no CPE)range: >= 2.13.0, < 2.13.4
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
- (no CPE)range: < 0.0.20250204T220613-1.1
- (no CPE)range: < 0.0.20250207T224745-150000.1.32.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-47g2-qmh2-749vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23216ghsaADVISORY
- github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107ghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749vghsax_refsource_CONFIRMWEB
- github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddcaghsax_refsource_MISCWEB
- github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8jghsaWEB
News mentions
0No linked articles in our index yet.