Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/argoproj/argo-cd(Go) | 1.0.0 | N/A | N/A |
| github.com/argoproj/argo-cd/v2(Go) | 0 | 2.9.20 | N/A |
| github.com/argoproj/argo-cd/v2(Go) | 2.10.0 | 2.10.15 | N/A |
| github.com/argoproj/argo-cd/v2(Go) | 2.11.0 | 2.11.6 | N/A |
CVSS Metrics
