Argo CD Vulnerability in Azure DevOps Webhook Configuration
CVE-2025-59538

7.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-59538?

In Argo CD, when the webhook settings for Azure DevOps are not configured with a username and password, the /api/webhook endpoint may crash the argocd-server process upon receiving a specific JSON payload from Azure DevOps. This occurs when the resource.refUpdates array is empty, leading to an index being accessed without proper length validation. This vulnerability can be triggered via a single unauthenticated HTTP POST request, resulting in a denial of service for the affected server. Updates have been made in versions 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19 to mitigate this issue.

Affected Version(s)

argo-cd >= 2.9.0-rc1, < 2.14.20 < 2.9.0-rc1, 2.14.20

argo-cd >= 3.2.0-rc1, < 3.2.0-rc2 < 3.2.0-rc1, 3.2.0-rc2

argo-cd >= 3.1.0-rc1, < 3.1.8 < 3.1.0-rc1, 3.1.8

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4e...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Sep 17, 2025

JSON

Argoproj

What is CVE-2025-59538?

Affected Version(s)

References

CVSS V3.1

Timeline