7.5

CVE-2025-59531

Exploit

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ArgoprojArgo Cd Version >= 1.2.0 <= 1.8.7
ArgoprojArgo Cd Version >= 2.0.0 < 2.14.20
ArgoprojArgo Cd Version >= 3.0.0 < 3.0.19
ArgoprojArgo Cd Version >= 3.1.0 < 3.1.8
ArgoprojArgo Cd Version3.2.0 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.469
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.