CVE-2025-59538
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-10-07

Assigner: GitHub, Inc.

Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-10-07
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59538
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
argoproj argo_cd From 2.9.0 (inc) to 2.14.20 (exc)
argoproj argo_cd From 3.0.0 (inc) to 3.0.19 (exc)
argoproj argo_cd From 3.1.0 (inc) to 3.1.8 (exc)
argoproj argo_cd 3.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Argo CD versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6, and 3.0.17 when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration. The /api/webhook endpoint crashes the entire argocd-server process if it receives an Azure DevOps Push event with an empty JSON array resource.refUpdates. The code accesses the first element of this array without checking if it exists, causing an index-out-of-range panic. A single unauthenticated HTTP POST request can trigger this crash.

Impact Analysis

This vulnerability can cause a denial of service by crashing the argocd-server process when triggered. Since the crash can be caused by a single unauthenticated HTTP POST request, an attacker can disrupt the availability of the Argo CD service, potentially impacting continuous delivery workflows and system stability.

Mitigation Strategies

Upgrade Argo CD to version 2.14.20, 3.2.0-rc2, 3.1.8, or 3.0.19 or later. Additionally, ensure that the webhook.azuredevops.username and webhook.azuredevops.password are set in the default configuration to prevent the /api/webhook endpoint from crashing the argocd-server process.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart