Login Sign Up

CVE-2025-59538

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Argo CD allows an unauthenticated attacker to crash the argocd-server process by sending a specially crafted Azure DevOps webhook payload. Affected organizations are those running vulnerable Argo CD versions with Azure DevOps webhooks enabled but without authentication credentials configured.

💻 Affected Systems

Products:
  • Argo CD
Versions: 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6, and 3.0.17
Operating Systems: All platforms running Argo CD
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when Azure DevOps webhooks are enabled and webhook.azuredevops.username/password are not set in configuration.

📦 What is this software?

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

Argo Cd by Argoproj

View all CVEs affecting Argo Cd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for Argo CD, disrupting Kubernetes deployments and GitOps workflows until the service is manually restarted.

🟠

Likely Case

Intermittent service disruptions when attackers discover and exploit the vulnerability, requiring manual intervention to restart crashed processes.

🟢

If Mitigated

No impact if Azure DevOps webhooks are not used or if authentication credentials are properly configured.

🌐 Internet-Facing: HIGH - Single unauthenticated HTTP POST can crash the service from anywhere on the internet.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a single HTTP POST with empty resource.refUpdates array to /api/webhook endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19

Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv

Restart Required: Yes

Instructions:

1. Upgrade to patched version. 2. Restart argocd-server. 3. Verify service is running and accepting webhooks.

🔧 Temporary Workarounds

Configure Azure DevOps Webhook Authentication

all

Set webhook.azuredevops.username and webhook.azuredevops.password in Argo CD configuration

argocd-cm.yaml: add webhook.azuredevops.username and webhook.azuredevops.password fields

Disable Azure DevOps Webhooks

all

Remove or disable Azure DevOps webhook integration if not needed

Remove Azure DevOps webhook configurations from argocd-cm ConfigMap

🧯 If You Can't Patch

  • Implement network controls to restrict access to /api/webhook endpoint
  • Configure Azure DevOps webhook authentication credentials immediately

🔍 How to Verify

Check if Vulnerable:

Check Argo CD version and verify if Azure DevOps webhooks are enabled without authentication

Check Version:

argocd version --client

Verify Fix Applied:

After patching, test sending Azure DevOps webhook with empty resource.refUpdates array - service should not crash

📡 Detection & Monitoring

Log Indicators:

  • panic: runtime error: index out of range
  • argocd-server process crashes
  • webhook processing errors

Network Indicators:

  • HTTP POST requests to /api/webhook with empty resource.refUpdates array

SIEM Query:

source="argocd" AND ("panic" OR "index out of range" OR "webhook crash")

📊 Metadata

CVE ID: CVE-2025-59538
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-248
EPSS Score: 0.11% exploit probability (28.7th percentile)
Published: October 1, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59538, you might also want to check these:

CVE-2024-42037 9.3

This vulnerability involves uncaught exceptions in the Graphics module that could allow attackers to...

Same vulnerability type (CWE-248)
CVE-2025-67647 9.1

SvelteKit versions 2.19.0 through 2.49.4 are vulnerable to server-side request forgery (SSRF) and de...

Same vulnerability type (CWE-248)
CVE-2023-20086 8.6

An unauthenticated remote attacker can send crafted ICMPv6 messages to Cisco ASA or FTD devices with...

Same vulnerability type (CWE-248)