2400938 – (CVE-2025-59537) CVE-2025-59537 github.com/argoproj/argo-cd: Argo CD unauthenticated Denial of Service

Bug 2400938 (CVE-2025-59537) - CVE-2025-59537 github.com/argoproj/argo-cd: Argo CD unauthenticated Denial of Service

Summary: CVE-2025-59537 github.com/argoproj/argo-cd: Argo CD unauthenticated Denial of...

Keywords:
Status:	NEW
Alias:	CVE-2025-59537
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-01 22:01 UTC by OSIDB Bzimport
Modified:	2025-10-01 23:01 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-01 22:01:15 UTC

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Note You need to log in before you can comment on or make changes to this bug.