CVE-2025-59537

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-59537
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59537.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-59537
Aliases
Downstream
Related
Published
2025-10-01T21:01:36Z
Modified
2025-10-30T20:36:09.033503Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Database specific 
{
    "cwe_ids": [
        "CWE-20",
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
674978cd587701b39e81fce6d5c960b6d76d5882
Last affected
eb3d1fb84b9b77cdffd70b14c4f949f1c64a9416
Database specific 
{
    "versions": [
        {
            "introduced": "1.2.0"
        },
        {
            "last_affected": "1.8.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
0ca643f027b99e8a5b931bb8ee9df42c3e4b64bf
Fixed
879895af786513ae25ba22f36f861cc1afe3b435
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0-rc1"
        },
        {
            "fixed": "2.14.20"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
06ef059f9fc7cf9da2dfaef2a505ee1e3c693485
Fixed
973eccee0af7f3096e7c56b1ba7c9a8601e077c4
Database specific 
{
    "versions": [
        {
            "introduced": "3.2.0-rc1"
        },
        {
            "fixed": "3.2.0-rc2"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
320f46f06beaf75f9c406e3a47e2e09d36e2047a
Fixed
becb020064fe9be5381bf6e5818ff8587ca8f377
Database specific 
{
    "versions": [
        {
            "introduced": "3.1.0-rc1"
        },
        {
            "fixed": "3.1.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/argoproj/argo-cd
Events
Introduced
226a670fe6b3c6769ff6d18e6839298a58e4577d
Fixed
132be88e674fbdb222e38f9a15edb5b512904cd9
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0-rc1"
        },
        {
            "fixed": "3.0.19"
        }
    ]
}

Affected versions

v3.*

v3.0.0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.0.0-rc5
v3.0.0-rc6
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.1.0-rc4
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.2.0-rc1