CVE-2025-59531: Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

September 30, 2025 (updated October 1, 2025)

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field repository.links.clone is anything other than an array.

A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-59531 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →