What is the CVSS score of CVE-2025-59531?

CVE-2025-59531 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.2%.

Which versions of Kubernetes are affected by CVE-2025-59531?

Organizations using Argo CD face notable risk from CVE-2025-59531 rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-59531?

Yes, a public proof-of-concept exploit is available for CVE-2025-59531. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-59531?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Kubernetes CVE-2025-59531

HIGH

Improper Check or Handling of Exceptional Conditions (CWE-703)

2025-10-01 security-advisories@github.com

GHSA-f9gq-prrc-hrhc

Denial Of Service Kubernetes Argo Cd Red Hat Suse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SUSE

HIGH

qualitative

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

PoC Detected

Oct 07, 2025 - 14:39 vuln.today

Public exploit code

Patch released

Oct 07, 2025 - 14:39 nvd

Patch available

CVE Published

Oct 01, 2025 - 21:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Analysis

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users.

RemediationAI

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

More from same product – last 7 days

CVE-2026-50563 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Fu

CVE-2026-50566 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RB

CVE-2026-50545 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environ

CVE-2026-50564 CRITICAL Act Now

9.9 Jun 10

Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with En

CVE-2026-49824 HIGH This Week

8.5 Jun 10

Cross-namespace access control bypass in Fission (Kubernetes-native serverless framework) prior to 1.24.0 allows an auth

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Tumbleweed	Fixed

CVE-2025-59531 vulnerability details – vuln.today

Back

Kubernetes CVE-2025-59531

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code