CVE-2025-59537: argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload
(updated )
Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.
With the default configuration, no webhook.gogs.secret
set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo
is not set or is null.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-59537 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →