CVE-2025-59537
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| argoproj | argo_cd | From 1.2.0 (inc) to 1.8.7 (inc) |
| argoproj | argo_cd | From 2.0.0 (inc) to 2.14.20 (exc) |
| argoproj | argo_cd | From 3.0.0 (inc) to 3.0.19 (exc) |
| argoproj | argo_cd | From 3.1.0 (inc) to 3.1.8 (exc) |
| argoproj | argo_cd | 3.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Argo CD allows malicious API requests to crash the API server, causing a denial of service. Specifically, when the /api/webhook endpoint receives a Gogs push event with a missing or null commits[].repo JSON field and no webhook.gogs.secret is set, the entire argocd-server process crashes.
How can this vulnerability impact me? :
The vulnerability can cause the Argo CD API server to crash, resulting in denial of service to legitimate clients. This means users may be unable to access or use Argo CD until the server is restarted or patched.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Argo CD to one of the fixed versions: 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19. Additionally, configure a webhook.gogs.secret to avoid the default configuration that allows the /api/webhook endpoint to crash when receiving malformed Gogs push events.