2400562 – (CVE-2025-55191) CVE-2025-55191 github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3: Argo CD race condition leading to crash

Bug 2400562 (CVE-2025-55191) - CVE-2025-55191 github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3: Argo CD race condition leading to crash

Summary: CVE-2025-55191 github.com/argoproj/argo-cd/v2: github.com/argoproj/argo-cd/v3...

Keywords:
Status:	NEW
Alias:	CVE-2025-55191
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-30 23:01 UTC by OSIDB Bzimport
Modified:	2025-10-02 19:27 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-30 23:01:15 UTC

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Note You need to log in before you can comment on or make changes to this bug.