CVE-2025-59537

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.2.0 through 1.8.7 Argo CD versions 2.0.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.7 Argo CD version 3.0.18

Description Argo CD is susceptible to malicious API requests that can lead to a denial of service, crashing the API server and disrupting service for legitimate users. Specifically, the

/api/webhook

endpoint is vulnerable when the

webhook.gogs.secret

is not configured. In this scenario, receiving a Gogs push event with a missing or null

commits[].repo

JSON field causes the

argocd-server

process to crash. The

affectedRevisionInfo

function lacks proper data structure validation for webhook event types, allowing an attacker to exploit this by sending crafted data. The vulnerability resides in the

Handler

function, which parses webhook type messages based on the

header

and

body

parameters. The

Parse

function unmarshals JSON-type messages without strict validation. An attacker can repeatedly send unauthenticated requests to the

/api/webhook

endpoint to cause a denial of service.

Recommendations For versions 1.2.0 through 1.8.7, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 2.0.0-rc1 through 2.14.19, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 3.0.0-rc1 through 3.2.0-rc1, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.1.7, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.0.18, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. If Gogs is not used, set the

webhook.gogs.secret

to a long, random value to disable Gogs payload handling.