CVE-2025-59531
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-10-07

Assigner: GitHub, Inc.

Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-10-07
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59531
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
argoproj argo_cd From 1.2.0 (inc) to 1.8.7 (inc)
argoproj argo_cd From 2.0.0 (inc) to 2.14.20 (exc)
argoproj argo_cd From 3.0.0 (inc) to 3.0.19 (exc)
argoproj argo_cd From 3.1.0 (inc) to 3.1.8 (exc)
argoproj argo_cd 3.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Argo CD allows malicious API requests to crash the API server by sending a malformed Bitbucket Server payload to the /api/webhook endpoint when the webhook.bitbucketserver.secret is not configured. Specifically, a non-array repository.links.clone field in the payload causes the server to crash, leading to denial of service.

Impact Analysis

An attacker can send a single unauthenticated request that triggers a CrashLoopBackOff state in the API server, causing denial of service to legitimate clients. If all replicas are targeted, this can result in a complete API outage, disrupting continuous delivery operations managed by Argo CD.

Mitigation Strategies

To mitigate this vulnerability, upgrade Argo CD to a fixed version: 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19. Additionally, configure the webhook.bitbucketserver.secret to prevent the /api/webhook endpoint from crashing when receiving malformed Bitbucket Server payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart