CVE-2025-59538

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.9.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.6 Argo CD version 3.0.17

Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a denial-of-service issue. When the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process upon receiving an Azure DevOps Push event with an empty resource.refUpdates JSON array. This occurs because the code attempts to access the first element ([0]) of the resource.refUpdates slice without verifying its length, leading to an index-out-of-range panic. A single unauthenticated HTTP POST request to the /api/webhook endpoint is sufficient to terminate the process. The vulnerable code is located in util/webhook/webhook.go around line 147, specifically when parsing the revision information. The issue is triggered when the refUpdates array is empty, causing a panic during slice access.

Recommendations For versions 2.9.0-rc1 through 2.14.19, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 2.9.0-rc1 through 2.14.19, if Azure DevOps is not used, set the webhook.azuredevops.username and webhook.azuredevops.password to long, random values to effectively disable webhook handling for Azure DevOps payloads. For versions 3.0.0-rc1 through 3.2.0-rc1, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For versions 3.0.0-rc1 through 3.2.0-rc1, if Azure DevOps is not used, set the webhook.azuredevops.username and webhook.azuredevops.password to long, random values to effectively disable webhook handling for Azure DevOps payloads. For version 3.1.6, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.1.6, if Azure DevOps is not used, set the webhook.azuredevops.username and webhook.azuredevops.password to long, random values to effectively disable webhook handling for Azure DevOps payloads. For version 3.0.17, configure a webhook secret to ensure only trusted parties can invoke the webhook handler. For version 3.0.17, if Azure DevOps is not used, set the webhook.azuredevops.username and webhook.azuredevops.password to long, random values to effectively disable webhook handling for Azure DevOps payloads.