{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59531", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-17T17:04:20.373Z", "datePublished": "2025-10-01T20:49:35.428Z", "dateUpdated": "2025-10-02T15:54:24.950Z"}, "containers": {"cna": {"title": "Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload", "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "lang": "en", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"}, {"name": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": ">= 1.2.0, <= 1.8.7", "status": "affected"}, {"version": ">= 2.0.0-rc1, < 2.14.20", "status": "affected"}, {"version": ">= 3.2.0-rc1, < 3.2.0-rc2", "status": "affected"}, {"version": ">= 3.1.0-rc1, < 3.1.8", "status": "affected"}, {"version": ">= 3.0.0-rc1, < 3.0.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-01T20:49:35.428Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."}], "source": {"advisory": "GHSA-f9gq-prrc-hrhc", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-02T15:35:32.474779Z", "id": "CVE-2025-59531", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-02T15:54:24.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59531", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-02T15:35:32.474779Z"}}}], "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-02T15:35:42.677Z"}}], "cna": {"title": "Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload", "source": {"advisory": "GHSA-f9gq-prrc-hrhc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"status": "affected", "version": ">= 1.2.0, <= 1.8.7"}, {"status": "affected", "version": ">= 2.0.0-rc1, < 2.14.20"}, {"status": "affected", "version": ">= 3.2.0-rc1, < 3.2.0-rc2"}, {"status": "affected", "version": ">= 3.1.0-rc1, < 3.1.8"}, {"status": "affected", "version": ">= 3.0.0-rc1, < 3.0.19"}]}], "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc", "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f", "name": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-01T20:49:35.428Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59531", "state": "PUBLISHED", "dateUpdated": "2025-10-02T15:54:24.950Z", "dateReserved": "2025-09-17T17:04:20.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-01T20:49:35.428Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDA16487-4630-4646-9952-32E096B64251", "versionEndIncluding": "1.8.7", "versionStartIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD4B38D5-4CEC-4C24-AD81-92B9DA4426AC", "versionEndExcluding": "2.14.20", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB", "versionEndExcluding": "3.0.19", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFF4E847-D3D6-457A-A47B-98799D28E20E", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "247C0721-E494-4732-BF53-F249C574A702", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."}], "id": "CVE-2025-59531", "lastModified": "2025-10-07T14:39:29.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-10-01T21:16:43.377", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-703"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "argocd: argocd-server: gitops: Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload", "id": "2400935", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400935"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-248", "details": ["Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.", "A denial of service vulnerability was identified in the Argo CD continuous delivery tool, which is distributed as part of Red Hat GitOps product. An unauthenticated attacker can exploit this flaw by sending a specially crafted request to the Application Programming Interface (API) webhook endpoint. This action causes the API server to crash, preventing it from restarting properly. By repeatedly targeting the server, an attacker can cause a complete service outage, making the Argo CD interface unavailable to all users. This vulnerability is only exposed in configurations where a specific webhook secret has not been set."], "mitigation": {"lang": "en:us", "value": "If a BitBucket repository is being used by GitOps it's possible to mitigate this vulnerability by setting up a BitBucket webhook secret to ensure only trusted parties can access the webhook endpoint.\nIn case BitBucket is not being used, the user can set the webhook secret to a long random value to prevent the webhook from being called:\n~~~\napiVersion: v1\nkind: Secret\nmetadata:\nname: argocd-secret\ntype: Opaque\ndata:\n+ webhook.bitbucketserver.secret: <your base64-encoded secret here>\n~~~"}, "name": "CVE-2025-59531", "package_state": [{"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2025-10-01T20:49:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59531\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59531\nhttps://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc"], "statement": "This vulnerability was rated as Important by the Red Hat Product Security team, this happens because an unauthenticated attacker is able to cause a denial of service from the whole GitOps cluster. This vulnerability affects only clusters without a configured 'webhook.bitbucket.secret' configuration key, thus clusters that have this option configured are not exposed to this flaw.\nThis vulnerability lies in a unsafe cast when trying to retrieve the `repository.links.clone`JSON field from BitBucket-Server push request. When the unsafe cast is triggered, the goroutine created by the worker to process the request will fail within an assertion panic and, as it lacks a recovery routine, the whole argocd-server binary will be terminated. If an attacker manages to force all the argocd-server replica nodes to reach this assertion failure, a Denial of Service of the whole cluster will happen.", "threat_severity": "Important"}