CVE-2025-59531
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_cd | From 1.2.0 (inc) to 1.8.7 (inc) |
| argoproj | argo_cd | From 2.0.0 (inc) to 2.14.20 (exc) |
| argoproj | argo_cd | From 3.0.0 (inc) to 3.0.19 (exc) |
| argoproj | argo_cd | From 3.1.0 (inc) to 3.1.8 (exc) |
| argoproj | argo_cd | 3.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Argo CD allows malicious API requests to crash the API server by sending a malformed Bitbucket Server payload to the /api/webhook endpoint when the webhook.bitbucketserver.secret is not configured. Specifically, a non-array repository.links.clone field in the payload causes the server to crash, leading to denial of service.
How can this vulnerability impact me? :
An attacker can send a single unauthenticated request that triggers a CrashLoopBackOff state in the API server, causing denial of service to legitimate clients. If all replicas are targeted, this can result in a complete API outage, disrupting continuous delivery operations managed by Argo CD.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Argo CD to a fixed version: 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19. Additionally, configure the webhook.bitbucketserver.secret to prevent the /api/webhook endpoint from crashing when receiving malformed Bitbucket Server payloads.