Introduction
A single unauthenticated HTTP request can crash the Argo CD API server, causing a denial of service for all legitimate clients. This vulnerability, tracked as CVE-2025-59531, affects a wide range of Argo CD versions and can be exploited remotely if the webhook endpoint is exposed without authentication.
Argo CD is a popular open source GitOps continuous delivery tool for Kubernetes, maintained under the CNCF. It is widely used in enterprise and cloud native environments to automate application deployment and synchronization.
Technical Information
CVE-2025-59531 is a denial of service vulnerability in the webhook handler for Bitbucket Server events in Argo CD. The vulnerability is present when the webhook.bitbucketserver.secret
is not configured, leaving the /api/webhook
endpoint open to unauthenticated requests.
The root cause is an unsafe type assertion in the webhook processing code. Specifically, the handler expects the repository.links.clone
field in the Bitbucket Server webhook payload to always be an array. If an attacker sends a payload where this field is a different type (such as a string, object, or null), the following code triggers a panic:
for _, l := range payload.Repository.Links["clone"].([]any) { // <- unsafe cast link := l.(map[string]any) ... }
When the type assertion fails, Go panics with an error like interface conversion: interface {} is string, not []interface {}
. The panic is not recovered in the worker goroutine, so the entire argocd-server
process exits. In Kubernetes environments, this causes the pod to enter CrashLoopBackOff. If all replicas are targeted, the API becomes completely unavailable.
This vulnerability is classified as CWE-703 (Improper Check or Handling of Exceptional Conditions).
Affected Systems and Versions
The following Argo CD versions are affected:
- 1.2.0 through 1.8.7
- 2.0.0-rc1 through 2.14.19
- 3.0.0-rc1 through 3.2.0-rc1
- 3.1.7
- 3.0.18
The vulnerability is present when webhook.bitbucketserver.secret
is not configured. Systems with this secret set are not vulnerable to unauthenticated exploitation.
Vendor Security History
Argo CD has experienced several notable vulnerabilities in recent years:
- CVE-2025-55190: Information disclosure via project-level API tokens (affected 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, 3.1.0-rc1 through 3.1.1)
- CVE-2024-31989: Privilege escalation via Redis cache manipulation
- CVE-2025-47933: Cross site scripting in the user interface
The Argo CD team typically responds quickly to security reports, releasing advisories and patches across supported version branches.
References
- GHSA-f9gq-prrc-hrhc (GitHub Advisory)
- GitLab Advisory for CVE-2025-59531
- CWE-703: Improper Check or Handling of Exceptional Conditions
- Argo CD Security Advisory
- Argo CD Webhook Documentation
- OSV: GHSA-f9gq-prrc-hrhc
- Argo CD Issue 13025
- Kubernetes CrashLoopBackOff Troubleshooting
- Argo CD Issue 7282
- Argo CD CVE-2025-55190 Info Disclosure Summary
- CVE-2025-55191
- GitLab Advisory for CVE-2025-59531