CVE-2025-59537

Oct. 2, 2025, 7:11 p.m.

7.5
High

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Product(s) Impacted

Vendor Product Versions
Argoproj
  • Argo Cd
  • 1.2.0-1.8.7, 2.0.0-rc1-2.14.19, 3.0.0-rc1-3.2.0-rc1, 3.1.7, 3.0.18, 2.14.20, 3.2.0-rc2, 3.1.8, 3.0.19

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a argoproj argo_cd 1.2.0-1.8.7 / / / / / / /
a argoproj argo_cd 2.0.0-rc1-2.14.19 / / / / / / /
a argoproj argo_cd 3.0.0-rc1-3.2.0-rc1 / / / / / / /
a argoproj argo_cd 3.1.7 / / / / / / /
a argoproj argo_cd 3.0.18 / / / / / / /
a argoproj argo_cd 2.14.20 / / / / / / /
a argoproj argo_cd 3.2.0-rc2 / / / / / / /
a argoproj argo_cd 3.1.8 / / / / / / /
a argoproj argo_cd 3.0.19 / / / / / / /

References

https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43
https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2
https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2

Tags

CWE-20
security-advisories@github.com
2025-10-01
CVE-2025-59537

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Oct. 1, 2025, 9:16 p.m.
Last Modified: Oct. 2, 2025, 7:11 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.