CVE-2025-59531 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate client...

Argo CD 安全漏洞

Argo CD is an Argo open source declarative GitOps continuous delivery tool for Kubernetes. A security vulnerability exists in Argo CD that stems from unconfigured webhook.bitbucketserver.secret when processing malicious API requests, which could lead to a denial-of-service attack. The following...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server process to crash by sending an Azure DevOps Push event with an empty resource.refUpdates array. Note: This is only...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server process to crash by sending an Azure DevOps Push event with an empty resource.refUpdates array. Note: This is only...

GHSA-GPX4-37G2-C8PV Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

GHSA-WP4P-9PXH-CGX2 argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process whe...

Improper Validation of Function Hook Arguments

Overview Affected versions of this package are vulnerable to Improper Validation of Function Hook Arguments in the /api/webhook endpoint via the affectedRevisionInfo function. An attacker can cause the server process to crash and disrupt service availability by sending a Gogs push event whose JSO...

Improper Validation of Function Hook Arguments

Overview Affected versions of this package are vulnerable to Improper Validation of Function Hook Arguments in the /api/webhook endpoint via the affectedRevisionInfo function. An attacker can cause the server process to crash and disrupt service availability by sending a Gogs push event whose JSO...

Improper Validation of Function Hook Arguments

Overview Affected versions of this package are vulnerable to Improper Validation of Function Hook Arguments in the /api/webhook endpoint via the affectedRevisionInfo function. An attacker can cause the server process to crash and disrupt service availability by sending a Gogs push event whose JSO...

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process whe...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server to crash and disrupt service availability by sending a Bitbucket Server Push event with JSON field repository.links.clon...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server to crash and disrupt service availability by sending a Bitbucket Server Push event with JSON field repository.links.clon...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server to crash and disrupt service availability by sending a Bitbucket Server Push event with JSON field repository.links.clon...

GHSA-F9GQ-PRRC-HRHC Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server...

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server...

PT-2025-40053

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process whe...

PT-2025-40042

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server...

PT-2025-40045

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

PT-2025-40057

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.9.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.6 Argo CD version 3.0.17 Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a...