Publish GHSA-g88p-r42r-ppp9

advisory-database[bot] · advisory-database[bot] · commit db80f76df3f5 · 2025-09-30T18:03:19.000Z
diff --git a/advisories/github-reviewed/2025/09/GHSA-g88p-r42r-ppp9/GHSA-g88p-r42r-ppp9.json b/advisories/github-reviewed/2025/09/GHSA-g88p-r42r-ppp9/GHSA-g88p-r42r-ppp9.json
@@ -0,0 +1,134 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g88p-r42r-ppp9",
+  "modified": "2025-09-30T18:01:48Z",
+  "published": "2025-09-30T18:01:48Z",
+  "aliases": [
+    "CVE-2025-55191"
+  ],
+  "summary": "Repository Credentials Race Condition Crashes Argo CD Server",
+  "details": "### Summary\n\nA race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.\n\n### Details\nThe vulnerability is located in numerous repository related handlers in the `util/db/repository_secrets.go` file. For example, in the `secretToRepoCred` function. The issue manifests as a concurrent map access panic:\n\n```\nconcurrent map read and map write\n...\ngoroutine 1104 [running]:\ngithub.com/argoproj/argo-cd/v2/util/db.(*secretsRepositoryBackend).secretToRepoCred(0xc000e50ea8?, 0xc000c65540)\n        /go/src/github.com/argoproj/argo-cd/util/db/repository_secrets.go:404 +0x31e\n```\n\nThe race condition occurs due to:\n1. Concurrent repository credential operations (create/update/delete) accessing the same map\n2. Kubernetes informer re-syncs happening simultaneously\n3. Background watchers updating the same secret data\n4. No mutex protection for map access\n\nA valid API token with `repositories` resource permissions (`create`, `update`, or `delete` actions) is required to trigger the race condition.\n\n### Impact\n\nThis vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. Default ArgoCD configuration is vulnerable.\n\nThe affected code was originally introduced in [PR #6103](https://github.com/argoproj/argo-cd/pull/6103) and released in [v2.1.0](https://github.com/argoproj/argo-cd/releases/tag/v2.1.0).\n\nThis data race was addressed by deep-copying the `Secret` objects before reading/writing.\n\n### Credits\n\nThis vulnerability was found, reported and fixed by:\n\n@thevilledev\n\nThe Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-cd/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.1.0"
+            },
+            {
+              "fixed": "2.14.20"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.14.19"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-cd/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0-rc1"
+            },
+            {
+              "fixed": "3.2.0-rc2"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "3.2.0-rc1"
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-cd/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.1.0-rc1"
+            },
+            {
+              "fixed": "3.1.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.1.7"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-cd/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-rc1"
+            },
+            {
+              "fixed": "3.0.19"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.18"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/pull/6103"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/commit/701bc50d01c752cad96185f848088d287a97c7b7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/argoproj/argo-cd"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-30T18:01:48Z",
+    "nvd_published_at": null
+  }
+}
