{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T13:28:32.609","vulnerabilities":[{"cve":{"id":"CVE-2025-59531","sourceIdentifier":"security-advisories@github.com","published":"2025-10-01T21:16:43.377","lastModified":"2025-10-07T14:39:29.373","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-703"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*","versionStartIncluding":"1.2.0","versionEndIncluding":"1.8.7","matchCriteriaId":"CDA16487-4630-4646-9952-32E096B64251"},{"vulnerable":true,"criteria":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.14.20","matchCriteriaId":"FD4B38D5-4CEC-4C24-AD81-92B9DA4426AC"},{"vulnerable":true,"criteria":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.19","matchCriteriaId":"E7FEAEBF-40B8-40E4-B34B-2785B0FEAFEB"},{"vulnerable":true,"criteria":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndExcluding":"3.1.8","matchCriteriaId":"AFF4E847-D3D6-457A-A47B-98799D28E20E"},{"vulnerable":true,"criteria":"cpe:2.3:a:argoproj:argo_cd:3.2.0:rc1:*:*:*:*:*:*","matchCriteriaId":"247C0721-E494-4732-BF53-F249C574A702"}]}]}],"references":[{"url":"https://github.com/argoproj/argo-cd/commit/5c466a4e39802e059e75c0008ae7b7b8e842538f","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-f9gq-prrc-hrhc","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}