CVE-2025-59537
01.10.2025, 21:16
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CDs /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.Enginsight
| Vendor | Product | Version |
|---|---|---|
| argoproj | argo_cd | 1.2.0 ≤ 𝑥 ≤ 1.8.7 |
| argoproj | argo_cd | 2.0.0 ≤ 𝑥 < 2.14.20 |
| argoproj | argo_cd | 3.0.0 ≤ 𝑥 < 3.0.19 |
| argoproj | argo_cd | 3.1.0 ≤ 𝑥 < 3.1.8 |
| argoproj | argo_cd | 3.2.0:rc1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-476 - NULL Pointer DereferenceA NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Vulnerability Media Exposure