BIT-ARGO-CD-2025-59538 Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes t...

CVE-2025-59538

Argo CD unauthenticated remote DoS via malformed Azure DevOps git.push webhook. Affected versions: 2.9.0-rc1–2.14.19, 3.0.0-rc1–3.2.0-rc1, 3.1.6, 3.0.17. The /api/webhook endpoint crashes argocd-server when receiving an Azure DevOps Push with empty resource.refUpdates; it accesses index 0 without...