Main Vulnerability Database Vulnerabilities #VU129008

Uncaught Exception in Argo CD - CVE-2025-59538

Published: May 2, 2026

Vulnerability identifier: #VU129008

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-59538

CWE-ID: CWE-248

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Argo CD

Software vendor:
Argo

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an uncaught exception in the /api/webhook endpoint when processing an Azure DevOps git.push webhook with an empty resource.refUpdates array. A remote attacker can send a specially crafted HTTP POST request to cause a denial of service.

In the default configuration, exploitation is possible when webhook.azuredevops.username and webhook.azuredevops.password are not set.

Remediation

Install security update from vendor's website.

External links

https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv

Uncaught Exception in Argo CD - CVE-2025-59538

Description

Remediation

External links

Please verify you're human