BIT-argo-cd-2025-59531

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/argo-cd/BIT-argo-cd-2025-59531.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-argo-cd-2025-59531

Aliases

Published

2025-10-06T08:54:07.204Z

Modified

2026-03-20T10:00:10.257527Z

Summary

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.1.8 and 3.0.19.

Database specific

{
    "cpes": [
        "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:*:*:*:*:*:kubernetes:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / argo-cd

Package

Name: argo-cd
Purl: pkg:bitnami/argo-cd

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.2.0

Fixed

2.14.20

Introduced

3.0.0

Fixed

3.0.19

Introduced

3.1.0

Fixed

3.1.8

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/argo-cd/BIT-argo-cd-2025-59531.json"