CVE-2025-59531

Oct. 2, 2025, 7:11 p.m.

7.5
High

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Product(s) Impacted

Vendor Product Versions
Argoproj
  • Argo Cd
  • 1.2.0-1.8.7, 2.0.0-rc1-2.14.19, 3.0.0-rc1-3.2.0-rc1, 3.1.7, 3.0.18

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-703
Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a argoproj argo_cd 1.2.0-1.8.7 / / / / / / /
a argoproj argo_cd 2.0.0-rc1-2.14.19 / / / / / / /
a argoproj argo_cd 3.0.0-rc1-3.2.0-rc1 / / / / / / /
a argoproj argo_cd 3.1.7 / / / / / / /
a argoproj argo_cd 3.0.18 / / / / / / /

References

https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f
https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc
https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc

Tags

security-advisories@github.com
CWE-703
2025-10-01
CVE-2025-59531

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Oct. 1, 2025, 9:16 p.m.
Last Modified: Oct. 2, 2025, 7:11 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.