CVE-2025-55191

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55191
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-55191.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-55191
Aliases
Downstream
Related
Published
2025-09-30T22:52:19.838Z
Modified
2026-06-18T03:54:46.040245414Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Repository Credentials Race Condition Crashes Argo CD Server
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL. The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition. This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55191.json",
    "cwe_ids": [
        "CWE-362"
    ]
}
References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
d0b2d55e3fb7fe8b17385d6687886de41651f31b
Fixed
879895af786513ae25ba22f36f861cc1afe3b435
Introduced
e98f483bfd5781df2592fef1aeed1148f150d9c9
Fixed
132be88e674fbdb222e38f9a15edb5b512904cd9
Introduced
03c4ad854c1e6d922a121cd40f505d9bc6e402da
Fixed
becb020064fe9be5381bf6e5818ff8587ca8f377
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
701bc50d01c752cad96185f848088d287a97c7b7
Database specific 
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.14.20"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.19"
        },
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.1.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.2.0-rc1"
        }
    ],
    "cpe": [
        "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*"
    ]
}

Affected versions

v0.*
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.0-alpha1
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v2.*
v2.14.0
v2.14.0-rc1
v2.14.0-rc2
v2.14.0-rc3
v2.14.0-rc4
v2.14.0-rc5
v2.14.0-rc6
v2.14.0-rc7
v2.14.1
v2.14.10
v2.14.11
v2.14.12
v2.14.13
v2.14.14
v2.14.15
v2.14.16
v2.14.17
v2.14.18
v2.14.19
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.14.8
v2.14.9
v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-55191.json"