CVE-2024-40634

Name of the Vulnerable Software and Affected Versions: Argo CD versions prior to 2.11.6 Argo CD versions prior to 2.10.15 Argo CD versions prior to 2.9.20

Description: The issue is related to an unauthenticated attacker sending a specially crafted large JSON payload to the "/api/webhook" endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. This poses a high risk to the availability of Argo CD deployments. The vulnerability can be exploited by sending a large, malicious request with headers, such as "X-GitHub-Event: push", that will make ArgoCD start allocating memory to parse the incoming request.

Recommendations: For versions prior to 2.11.6, update to version 2.11.6 or later. For versions prior to 2.10.15, update to version 2.10.15 or later. For versions prior to 2.9.20, update to version 2.9.20 or later. As a temporary workaround, consider restricting access to the "/api/webhook" endpoint to minimize the risk of exploitation. Enforce a limit on the size of the request being parsed to prevent excessive memory allocation.