Skip to content

fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.0.14 [security] #729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.0.14 [security] #729

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 19, 2025

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Change Age Confidence
github.com/argoproj/argo-cd/v3 v3.0.12 -> v3.0.14 age confidence

GitHub Vulnerability Alerts

CVE-2025-55190

Summary

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.

Component: Project API (/api/v1/projects/{project}/detailed)

Vulnerability Details

Expected Behavior

API tokens should require explicit permission to access sensitive credential information. Standard project permissions should not grant access to repository secrets.

Actual Behavior

API tokens with basic project permissions can retrieve all repository credentials associated with a project through the detailed project API endpoint.

Note: This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: p, role/user, projects, get, *, allow

Steps to Reproduce

  1. Create an API token with the following project-level permissions:
p, proj:myProject:project-automation-role, applications, sync, myProject/*, allow
p, proj:myProject:project-automation-role, applications, action/argoproj.io/Rollout/*, myProject/*, allow
p, proj:myProject:project-automation-role, applications, get, myProject/*, allow
  1. Call the project details API:
bashcurl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" \
  "https://argocd.example.com/api/v1/projects/myProject/detailed"
  1. Observe that the response includes sensitive repository credentials:
{
  "repositories": [
    {
      "username": "<REDACTED>",
      "password": "<REDACTED>",
      "type": "helm",
      "name": "test-helm-repo",
      "project": "myProject"
    }
  ]
}

Patches

  • v3.1.2
  • v3.0.14
  • v2.14.16
  • v2.13.9

Credits to @​ashishgoyal111 for helping identify this issue.

Release Notes

argoproj/argo-cd (github.com/argoproj/argo-cd/v3)

v3.0.14

Compare Source

Quick Start

Use v3.0.15

There was an issue with immutable releases for v3.0.14 which caused some release steps to fail (uploading provenance and SBOMs). There should be nothing wrong with v3.0.14, but v3.0.15 is equivalent with a fully-successful release.

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.14/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.14/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
Other work

Full Changelog: argoproj/argo-cd@v3.0.13...v3.0.14

v3.0.13

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.13/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.0.13/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
Documentation
Other work

Full Changelog: argoproj/argo-cd@v3.0.12...v3.0.13

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Sep 19, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: module github.com/argoproj/argo-cd/v3@v3.0.14 requires go >= 1.24.6; switching to go1.24.7
go: downloading go1.24.7 (linux/amd64)
go: download go1.24.7: golang.org/toolchain@v0.0.1-go1.24.7.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off

@the-technat the-technat mentioned this pull request Sep 19, 2025
Open
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Sep 19, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v3.0.14). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/go-github.com-argoproj-argo-cd-v3-vulnerability branch September 19, 2025 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oboukili oboukili Awaiting requested review from oboukili oboukili is a code owner

@onematchfox onematchfox Awaiting requested review from onematchfox onematchfox is a code owner

@blakepettersson blakepettersson Awaiting requested review from blakepettersson blakepettersson is a code owner

@the-technat the-technat Awaiting requested review from the-technat the-technat is a code owner

@mkilchhofer mkilchhofer Awaiting requested review from mkilchhofer mkilchhofer is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@the-technat