CVE-2025-59537: argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

September 30, 2025 (updated October 23, 2025)

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.

References

github.com/advisories/GHSA-wp4p-9pxh-cgx2
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43
github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2
nvd.nist.gov/vuln/detail/CVE-2025-59537
pkg.go.dev/vuln/GO-2025-39896

Code Behaviors & Features

Detect and mitigate CVE-2025-59537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →