CVE-2025-59537

HIGH

Argoproj Argo CD < 1.8.7 - Improper Input Validation

Title source: rule

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

References (2)

Core 2

Core References

Exploit, Mitigation, Vendor Advisory x_refsource_confirm

https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2

Patch x_refsource_misc

https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0023

EPSS Percentile 45.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-476 CWE-20

Status published

Products (5)

argoproj/argo-cd 1.2.0Go

argoproj/argo-cd 2.0.0-rc1 - 2.14.20Go

argoproj/argo-cd 3.2.0-rc1 - 3.2.0-rc2Go

argoproj/argo_cd 3.2.0 rc1

argoproj/argo_cd 1.2.0 - 1.8.7

Published Oct 01, 2025

Tracked Since Feb 18, 2026