Introduction
A single malformed webhook request can crash Argo CD's API server, halting all deployment automation and impacting production Kubernetes environments. This vulnerability, tracked as CVE-2025-59537, highlights how insufficient input validation in a widely used DevOps tool can lead to denial of service with minimal attacker effort.
About Argo CD: Argo CD is a leading open source GitOps continuous delivery tool for Kubernetes, maintained by the Argo Project under the CNCF. It is widely adopted in enterprise DevOps pipelines and powers deployment automation for organizations of all sizes. Its webhook integration allows real time synchronization with Git repositories, making it a critical component in modern CI/CD workflows.
Technical Information
CVE-2025-59537 is a NULL pointer dereference vulnerability in Argo CD's webhook handler for Gogs push events. The vulnerable code is present in the affectedRevisionInfo function, which processes incoming webhook payloads. When the /api/webhook endpoint receives a Gogs webhook payload where the commits[].repo field is either null or missing, the handler attempts to access payload.Repo.HTMLURL without checking if payload.Repo is nil. This results in a runtime panic and crashes the argocd-server process, causing denial of service for all clients.
The vulnerability is triggered by sending an unauthenticated HTTP POST request to the /api/webhook endpoint with the X-Gogs-Event: push header and a crafted JSON body. The attack does not require authentication or elevated privileges. The root cause is lack of input validation for the presence of the Repo field in the PushPayload struct.
The vulnerable code path is as follows (from the public patch):
case gogsclient.PushPayload: if payload.Repo != nil { webURLs = append(webURLs, payload.Repo.HTMLURL) } // ...
Prior to the patch, the code did not check for nil before accessing payload.Repo.HTMLURL.
Patch Information
To address this vulnerability, the Argo CD team introduced a patch that adds a nil check for the Repo field in the PushPayload struct before accessing its properties. This prevents the application from dereferencing a nil pointer and crashing.
The patch is included in the following Argo CD versions:
- v2.14.20
- v3.2.0-rc2
- v3.1.8
- v3.0.19
Users should upgrade to one of these versions to remediate the vulnerability.
For more details, see the official advisory: GHSA-wp4p-9pxh-cgx2
Affected Systems and Versions
The following Argo CD versions are affected:
- 1.2.0 through 1.8.7
- 2.0.0-rc1 through 2.14.19
- 3.0.0-rc1 through 3.2.0-rc1
- 3.1.7
- 3.0.18
Systems are vulnerable if they run any of these versions and have the /api/webhook endpoint exposed without a webhook.gogs.secret configured. Default installations are affected unless the secret is set.
Vendor Security History
Argo CD has previously addressed vulnerabilities related to input validation and access control. The project demonstrates mature security practices and typically responds quickly to disclosures. Community engagement and responsible disclosure processes are well established.