Denial of Service Vulnerability in Argo CD by Argo Project
CVE-2025-59531

7.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-59531?

Argo CD, a well-regarded tool for GitOps continuous delivery in Kubernetes, is susceptible to a denial of service vulnerability. This issue arises from the handling of malformed API requests directed at the /api/webhook endpoint when no appropriate webhook.bitbucketserver.secret is configured. Specifically, if a non-array structure is included in the repository.links.clone field of a Bitbucket Server payload, a single unauthenticated request can initiate a CrashLoopBackOff state, effectively disrupting service for all users. This means that while legitimate clients are unable to access the API, merely targeting all replicas can lead to a complete outage. This vulnerability has been addressed in the latest versions: 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19.

Affected Version(s)

argo-cd >= 1.2.0, <= 1.8.7 <= 1.2.0, 1.8.7

argo-cd >= 2.0.0-rc1, < 2.14.20 < 2.0.0-rc1, 2.14.20

argo-cd >= 3.2.0-rc1, < 3.2.0-rc2 < 3.2.0-rc1, 3.2.0-rc2

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/5c466a4e39802e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Sep 17, 2025

JSON

Argoproj

What is CVE-2025-59531?

Affected Version(s)

References

CVSS V3.1

Timeline