CVE-2025-59538: Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

September 30, 2025 (updated October 1, 2025)

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

References

github.com/advisories/GHSA-gpx4-37g2-c8pv
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf
github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv
nvd.nist.gov/vuln/detail/CVE-2025-59538

Code Behaviors & Features

Detect and mitigate CVE-2025-59538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →