Denial-of-service (DoS)

github.com/argoproj/argo-cd is vulnerable to a denial-of-service DoS. The vulnerability is due to Argo CD’s /api/webhook endpoint accessing an array index without validating its length, which allows an attacker to crash the argocd-server process using a single unauthenticated HTTP POST with an...

Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions in the /api/webhook endpoint. An attacker can cause the server process to crash by sending an Azure DevOps Push event with an empty resource.refUpdates array. Note: This is only...

GHSA-GPX4-37G2-C8PV Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

PT-2025-40057

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.9.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.6 Argo CD version 3.0.17 Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a...