CVE-2025-59531
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59531, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-01

Last updated on: 2025-10-07

Assigner: GitHub, Inc.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-01
Last Modified
2025-10-07
Generated
2026-07-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
argoproj argo_cd From 1.2.0 (inc) to 1.8.7 (inc)
argoproj argo_cd From 2.0.0 (inc) to 2.14.20 (exc)
argoproj argo_cd From 3.0.0 (inc) to 3.0.19 (exc)
argoproj argo_cd From 3.1.0 (inc) to 3.1.8 (exc)
argoproj argo_cd 3.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Argo CD allows malicious API requests to crash the API server by sending a malformed Bitbucket Server payload to the /api/webhook endpoint when the webhook.bitbucketserver.secret is not configured. Specifically, a non-array repository.links.clone field in the payload causes the server to crash, leading to denial of service.

Impact Analysis

An attacker can send a single unauthenticated request that triggers a CrashLoopBackOff state in the API server, causing denial of service to legitimate clients. If all replicas are targeted, this can result in a complete API outage, disrupting continuous delivery operations managed by Argo CD.

Mitigation Strategies

To mitigate this vulnerability, upgrade Argo CD to a fixed version: 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19. Additionally, configure the webhook.bitbucketserver.secret to prevent the /api/webhook endpoint from crashing when receiving malformed Bitbucket Server payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart