CVE-2025-59531

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.2.0 through 1.8.7 Argo CD versions 2.0.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.7 Argo CD version 3.0.18

Description Argo CD is susceptible to denial of service through malicious API requests. Specifically, when a webhook.bitbucketserver.secret is not configured, the /api/webhook endpoint crashes upon receiving a malformed Bitbucket Server payload where the repository.links.clone field is not an array. A single unauthenticated request can cause the API server to enter a CrashLoopBackOff state, and targeting all replicas can result in a complete API outage. The issue stems from an unsafe type assertion within the webhook.go file, which panics when the expected array type is not met. A proof-of-concept (PoC) demonstrates that sending a crafted JSON payload to the /api/webhook endpoint can trigger this panic and crash the server.

Recommendations For Argo CD versions 1.2.0 through 1.8.7, configure a webhook.bitbucketserver.secret to ensure only trusted parties can invoke the webhook handler. For Argo CD versions 2.0.0-rc1 through 2.14.19, configure a webhook.bitbucketserver.secret to ensure only trusted parties can invoke the webhook handler. For Argo CD versions 3.0.0-rc1 through 3.2.0-rc1, configure a webhook.bitbucketserver.secret to ensure only trusted parties can invoke the webhook handler. For Argo CD version 3.1.7, configure a webhook.bitbucketserver.secret to ensure only trusted parties can invoke the webhook handler. For Argo CD version 3.0.18, configure a webhook.bitbucketserver.secret to ensure only trusted parties can invoke the webhook handler. If Bitbucket Server is not used, set the webhook.bitbucketserver.secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.