CVE-2025-59537

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.2.0 through 1.8.7 Argo CD versions 2.0.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.7 Argo CD version 3.0.18

Description Argo CD is susceptible to malicious API requests that can lead to a denial of service, crashing the API server and disrupting service for legitimate users. Specifically, the /api/webhook endpoint is vulnerable when the webhook.gogs.secret is not configured. In this scenario, receiving a Gogs push event with a missing or null commits[].repo JSON field causes the argocd-server process to crash. The affectedRevisionInfo function lacks proper data structure validation for webhook event types, allowing an attacker to exploit this by sending crafted data. The vulnerability resides in the Handler function, which parses webhook type messages based on the header and body parameters. The Parse function unmarshals JSON-type messages without strict validation. An attacker can repeatedly send unauthenticated requests to the /api/webhook endpoint to cause a denial of service.

Recommendations For versions 1.2.0 through 1.8.7, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 2.0.0-rc1 through 2.14.19, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 3.0.0-rc1 through 3.2.0-rc1, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.1.7, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.0.18, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. If Gogs is not used, set the webhook.gogs.secret to a long, random value to disable Gogs payload handling.