CVE-2025-59537
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59537, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-01

Last updated on: 2025-10-07

Assigner: GitHub, Inc.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-01
Last Modified
2025-10-07
Generated
2026-07-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
argoproj argo_cd From 1.2.0 (inc) to 1.8.7 (inc)
argoproj argo_cd From 2.0.0 (inc) to 2.14.20 (exc)
argoproj argo_cd From 3.0.0 (inc) to 3.0.19 (exc)
argoproj argo_cd From 3.1.0 (inc) to 3.1.8 (exc)
argoproj argo_cd 3.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Argo CD allows malicious API requests to crash the API server, causing a denial of service. Specifically, when the /api/webhook endpoint receives a Gogs push event with a missing or null commits[].repo JSON field and no webhook.gogs.secret is set, the entire argocd-server process crashes.

Impact Analysis

The vulnerability can cause the Argo CD API server to crash, resulting in denial of service to legitimate clients. This means users may be unable to access or use Argo CD until the server is restarted or patched.

Mitigation Strategies

To mitigate this vulnerability, upgrade Argo CD to one of the fixed versions: 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19. Additionally, configure a webhook.gogs.secret to avoid the default configuration that allows the /api/webhook endpoint to crash when receiving malformed Gogs push events.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart