CVE-2025-59538

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Affected Software

VendorProductVersion RangeStatus
argoprojargo-cd>= 2.9.0-rc1, < 2.14.20affected
argoprojargo-cd>= 3.2.0-rc1, < 3.2.0-rc2affected
argoprojargo-cd>= 3.1.0-rc1, < 3.1.8affected
argoprojargo-cd>= 3.0.0-rc1, < 3.0.19affected

Weaknesses

  • CWE-248: CWE-248: Uncaught Exception
  • CWE-703: CWE-703: Improper Check or Handling of Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References