CVE-2025-59537: 
Argo CD vulnerability analysis and mitigation

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, was found to contain a vulnerability affecting versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18. The vulnerability allows malicious API requests to crash the API server and cause denial of service to legitimate clients. The issue was discovered and disclosed on September 30, 2025, and has been assigned CVE-2025-59537 with a CVSS v3.1 score of 7.5 (High) (GitHub Advisory).

The vulnerability exists in Argo CD's /api/webhook endpoint when no webhook.gogs.secret is set in the default configuration. The issue occurs when the endpoint receives a Gogs push event where the JSON field commits[].repo is not set or is null. The root cause is improper input validation in the affectedRevisionInfo function, which attempts to access payload.Repo.HTMLURL without validating if the Repo object is nil. This results in a nil pointer dereference, causing the entire argocd-server process to crash (GitHub Advisory, Miggo).

When exploited, this vulnerability allows an attacker to cause a Denial of Service (DoS) condition by making the Argo CD service unavailable through continuously sending unauthenticated requests to the /api/webhook endpoint. The impact is particularly severe as it affects the entire argocd-server process, disrupting service for all legitimate users (GitHub Advisory).

The vulnerability has been fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8, and 3.0.19. For users who cannot immediately update, there are two mitigation options: 1) If using Gogs and needing to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler, 2) If not using Gogs, set the webhook.gogs.secret to a long, random value to effectively disable webhook handling for Gogs payloads (GitHub Advisory).