SB20260502154 - Multiple vulnerabilities in Argo CD

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Uncaught Exception (CVE-ID: CVE-2025-59538)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an uncaught exception in the /api/webhook endpoint when processing an Azure DevOps git.push webhook with an empty resource.refUpdates array. A remote attacker can send a specially crafted HTTP POST request to cause a denial of service.

In the default configuration, exploitation is possible when webhook.azuredevops.username and webhook.azuredevops.password are not set.

2) Race condition (CVE-ID: CVE-2025-55191)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to a race condition in repository credentials handlers in util/db/repository_secrets.go when processing concurrent repository credential operations on the same repository URL. A remote user can send concurrent create, update, or delete operations for repository credentials to cause a denial of service.

The issue can panic the Argo CD server through concurrent map read and write access, and repeated triggering can keep the server unavailable.

3) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2025-59531)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper check or handling of exceptional conditions in the argocd-server webhook handler when processing a Bitbucket-Server webhook payload. A remote attacker can send a specially crafted webhook request to cause a denial of service.

With the default configuration, exploitation is possible when no webhook.bitbucketserver.secret is set, and a malformed repository.links.clone field can panic the argocd-server process.

4) Input validation error (CVE-ID: CVE-2025-59537)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the /api/webhook endpoint when processing Gogs push event payloads. A remote attacker can send a specially crafted webhook request to cause a denial of service.

With the default configuration, exploitation is possible when no webhook.gogs.secret is set, and the crafted JSON sets commits[].repo to null or omits it.

Remediation

Install update from vendor's website.

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
• https://github.com/argoproj/argo-cd/security/advisories/GHSA-g88p-r42r-ppp9
• https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc
• https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2