Moderate severityNVD Advisory· Published Jun 25, 2022· Updated Apr 23, 2025
Argo CD vulnerable to Uncontrolled Memory Consumption
CVE-2022-31016
Description
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cdGo | >= 0.7.0, < 2.1.16 | 2.1.16 |
github.com/argoproj/argo-cd/v2Go | < 2.1.16 | 2.1.16 |
github.com/argoproj/argo-cd/v2Go | >= 2.2.0, < 2.2.10 | 2.2.10 |
github.com/argoproj/argo-cd/v2Go | >= 2.3.0, < 2.3.5 | 2.3.5 |
github.com/argoproj/argo-cd/v2Go | >= 2.4.0, < 2.4.1 | 2.4.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jhqp-vf4w-rpwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31016ghsaADVISORY
- github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.