-
CVSS Score
-The vulnerability stems from uncontrolled resource consumption during tar.gz extraction. The key commit (b8f92c4) adds size validation to Helm chart extraction in util/helm/client.go's ExtractChart function. The patched version introduces 'untarChart' with size checks using files.Untgz, while the vulnerable version used a simple 'tar -zxvf' without validation. The repository.go's runRepoOperation() function was modified to pass new size limit parameters to ExtractChart, indicating it previously called the vulnerable version without these safeguards. These changes directly address the CWE-400 vulnerability described, making these functions the root cause.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/argoproj/argo-cd/v2 | go | >= 2.4.0, < 2.6.15 | 2.6.15 |
| github.com/argoproj/argo-cd/v2 | go | >= 2.7.0, < 2.7.14 | 2.7.14 |
| github.com/argoproj/argo-cd/v2 | go | >= 2.8.0, < 2.8.3 | 2.8.3 |