CVE-2025-59537
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.1.8 and 3.0.19.
How to fix CVE-2025-59537
To remediate CVE-2025-59537, upgrade the affected package to a fixed version below.
- —upgrade to 2.14.20 or later
- —no fix listed
- —no fix listed
- —upgrade to 2.14.20 or later
- —upgrade to 2.14.20 or later
- —upgrade to 3.0.19 or later
- —upgrade to 3.2.0-rc2 or later
Is CVE-2025-59537 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- >= 1.2.0, < 2.14.20, >= 3.0.0, < 3.0.19, >= 3.1.0, < 3.1.8
- >= 1.2.0, <= 1.8.7
- >= 1.2.0
- from 0, < 2.14.20
- >= 2.0.0-rc1, < 2.14.20
- >= 3.0.0-rc1, < 3.0.19, >= 3.1.0-rc1, < 3.1.8, >= 3.2.0-rc1, < 3.2.0-rc2
- >= 3.2.0-rc1, < 3.2.0-rc2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |