Login Sign Up

CVE-2024-21661

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2024-21661 is a critical Denial of Service vulnerability in Argo CD that allows unauthenticated attackers to crash the application by exploiting unsafe array manipulation in multi-threaded environments. All Argo CD users running vulnerable versions are affected, as the flaw can render the application completely inoperable. The vulnerability stems from concurrent modification of an array while it's being iterated over, causing application crashes.

💻 Affected Systems

Products:
  • Argo CD
Versions: All versions prior to 2.8.13, 2.9.9, and 2.10.4
Operating Systems: All platforms running Argo CD
Default Config Vulnerable: ⚠️ Yes
Notes: All Argo CD deployments with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete and persistent denial of service where Argo CD becomes completely unavailable, disrupting all GitOps deployments and Kubernetes management operations.

🟠

Likely Case

Intermittent application crashes leading to service disruption, failed deployments, and operational downtime until the application is restarted.

🟢

If Mitigated

Limited impact if network controls restrict access to Argo CD API endpoints and proper monitoring detects crash patterns early.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and exploits a simple race condition, making exploitation straightforward for attackers with network access to Argo CD.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.13, 2.9.9, or 2.10.4

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7

Restart Required: Yes

Instructions:

1. Identify current Argo CD version. 2. Upgrade to patched version (2.8.13 for 2.8.x, 2.9.9 for 2.9.x, 2.10.4 for 2.10.x). 3. Restart Argo CD components. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Argo CD API endpoints to trusted IP addresses only

# Example using Kubernetes NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: argo-cd-restrict
  namespace: argocd
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: argocd-server
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/8  # Restrict to internal network

🧯 If You Can't Patch

  • Implement strict network segmentation to limit access to Argo CD API endpoints
  • Deploy rate limiting and request filtering at the ingress/load balancer level

🔍 How to Verify

Check if Vulnerable:

Check Argo CD version: kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}'

Check Version:

kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}'

Verify Fix Applied:

Verify version is 2.8.13, 2.9.9, or 2.10.4 or higher: kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}' | grep -E '2\.8\.13|2\.9\.9|2\.10\.4'

📡 Detection & Monitoring

Log Indicators:

  • Argo CD process crashes
  • Panic stack traces in logs
  • Repeated pod restarts in Kubernetes
  • Error messages related to concurrent map/slice access

Network Indicators:

  • High volume of requests to Argo CD API endpoints from single sources
  • Unusual request patterns targeting session management endpoints

SIEM Query:

source="argo-cd" AND ("panic" OR "fatal" OR "concurrent map" OR "concurrent slice" OR "crash")

📊 Metadata

CVE ID: CVE-2024-21661
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: March 18, 2024
Last Updated: January 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21661, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)