argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cdGo | >= 1.2.0, <= 1.8.7 | — |
github.com/argoproj/argo-cd/v2Go | >= 2.0.0-rc1, < 2.14.20 | 2.14.20 |
github.com/argoproj/argo-cd/v3Go | >= 3.2.0-rc1, < 3.2.0-rc2 | 3.2.0-rc2 |
github.com/argoproj/argo-cd/v3Go | >= 3.1.0-rc1, < 3.1.8 | 3.1.8 |
github.com/argoproj/argo-cd/v3Go | >= 3.0.0-rc1, < 3.0.19 | 3.0.19 |
Affected products
1Patches
1761fc27068d2Merge commit from fork
2 files changed · +7 −2
util/webhook/webhook.go+4 −2 modified@@ -284,11 +284,13 @@ func (a *ArgoCDWebhookHandler) affectedRevisionInfo(payloadIf any) (webURLs []st // so we cannot update changedFiles for this type of payload case gogsclient.PushPayload: - webURLs = append(webURLs, payload.Repo.HTMLURL) revision = ParseRevision(payload.Ref) change.shaAfter = ParseRevision(payload.After) change.shaBefore = ParseRevision(payload.Before) - touchedHead = bool(payload.Repo.DefaultBranch == revision) + if payload.Repo != nil { + webURLs = append(webURLs, payload.Repo.HTMLURL) + touchedHead = payload.Repo.DefaultBranch == revision + } for _, commit := range payload.Commits { changedFiles = append(changedFiles, commit.Added...) changedFiles = append(changedFiles, commit.Modified...)
util/webhook/webhook_test.go+3 −0 modified@@ -731,6 +731,9 @@ func Test_affectedRevisionInfo_appRevisionHasChanged(t *testing.T) { {true, "refs/tags/no-slashes", bitbucketRefChangedPayload("no-slashes"), "bitbucket ref changed branch or tag name without slashes, targetRevision tag prefixed"}, {true, "refs/tags/no-slashes", gogsPushPayload("no-slashes"), "gogs push branch or tag name without slashes, targetRevision tag prefixed"}, + // Tests fix for https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2 + {true, "test", gogsclient.PushPayload{Ref: "test", Repo: nil}, "gogs push branch with nil repo in payload"}, + // Testing fix for https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv {false, "test", azuredevops.GitPushEvent{Resource: azuredevops.Resource{RefUpdates: []azuredevops.RefUpdate{}}}, "Azure DevOps malformed push event with no ref updates"},
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wp4p-9pxh-cgx2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59537ghsaADVISORY
- github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43ghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-39896ghsaWEB
News mentions
0No linked articles in our index yet.