CVE-2025-59531
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.1.8 and 3.0.19.
How to fix CVE-2025-59531
To remediate CVE-2025-59531, upgrade the affected package to a fixed version below.
- —upgrade to 2.14.20 or later
- —no fix listed
- —no fix listed
- —upgrade to 2.14.20 or later
- —upgrade to 2.14.20 or later
- —upgrade to 3.0.19 or later
- —upgrade to 3.2.0-rc2 or later
Is CVE-2025-59531 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- >= 1.2.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
- >= 1.2.0, <= 1.8.7
- >= 1.2.0
- from 0, < 2.14.20
- >= 2.0.0-rc1, < 2.14.20
- >= 3.0.0-rc1, < 3.0.19, >= 3.1.0-rc1, < 3.1.8, >= 3.2.0-rc1, < 3.2.0-rc2
- >= 3.2.0-rc1, < 3.2.0-rc2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |