Denial of Service Vulnerability in Argo CD by Argo Project
CVE-2025-59537

7.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-59537?

Argo CD, a GitOps continuous delivery tool for Kubernetes, is susceptible to malicious API requests that can inadvertently crash the API server, resulting in denial of service for legitimate users. This issue arises particularly when the default configuration is employed without a specified webhook secret. Specifically, when the /api/webhook endpoint receives a Gogs push event where the JSON field for commits[].repo is absent or null, it compromises the stability of the argocd-server process. Users are advised to upgrade to versions 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19 to mitigate this issue.

Affected Version(s)

argo-cd >= 1.2.0, <= 1.8.7 <= 1.2.0, 1.8.7

argo-cd >= 2.0.0-rc1, < 2.14.20 < 2.0.0-rc1, 2.14.20

argo-cd >= 3.2.0-rc1, < 3.2.0-rc2 < 3.2.0-rc1, 3.2.0-rc2

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/761fc27068d2d4...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Sep 17, 2025

JSON

Argoproj

What is CVE-2025-59537?

Affected Version(s)

References

CVSS V3.1

Timeline