CVE-2025-59537

Exploit

EPSS 0.22%
Veröffentlicht 01.10.2025 21:16:43
Zuletzt bearbeitet 07.10.2025 14:34:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Argoproj ≫ Argo Cd Version >= 1.2.0 <= 1.8.7

Argoproj ≫ Argo Cd Version >= 2.0.0 < 2.14.20

Argoproj ≫ Argo Cd Version >= 3.0.0 < 3.0.19

Argoproj ≫ Argo Cd Version >= 3.1.0 < 3.1.8

Argoproj ≫ Argo Cd Version3.2.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.44

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43

Patch

https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-59537

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59537

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59537

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-59537