SUSE CVE-2025-59538

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoi...

CVE-2025-59538 Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoi...

CVE-2025-59538

Argo CD unauthenticated remote DoS via malformed Azure DevOps git.push webhook. Affected versions: 2.9.0-rc1–2.14.19, 3.0.0-rc1–3.2.0-rc1, 3.1.6, 3.0.17. The /api/webhook endpoint crashes argocd-server when receiving an Azure DevOps Push with empty resource.refUpdates; it accesses index 0 without...

CVE-2025-59537 argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate client...

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

PT-2025-40057

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.9.0-rc1 through 2.14.19 Argo CD versions 3.0.0-rc1 through 3.2.0-rc1 Argo CD version 3.1.6 Argo CD version 3.0.17 Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, is susceptible to a...

PT-2025-40045

Summary In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index 0 is...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the webhook endpoints. An attacker can cause the plugin to crash by repeatedly sending invalid request bodies to the server. Remediation Upgrade...