CVE-2025-59537
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-07
Assigner: GitHub, Inc.
Description
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CDβs /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_cd | From 1.2.0 (inc) to 1.8.7 (inc) |
| argoproj | argo_cd | From 2.0.0 (inc) to 2.14.20 (exc) |
| argoproj | argo_cd | From 3.0.0 (inc) to 3.0.19 (exc) |
| argoproj | argo_cd | From 3.1.0 (inc) to 3.1.8 (exc) |
| argoproj | argo_cd | 3.2.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
