What is the CVSS score of CVE-2025-59538?

CVE-2025-59538 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Kubernetes are affected by CVE-2025-59538?

Organizations using Argo CD face notable risk from CVE-2025-59538 rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-59538?

Yes, a public proof-of-concept exploit is available for CVE-2025-59538. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-59538?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Kubernetes CVE-2025-59538

HIGH

Uncaught Exception (CWE-248)

2025-10-01 security-advisories@github.com

GHSA-gpx4-37g2-c8pv

Denial Of Service Kubernetes Red Hat Argo Cd Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

PoC Detected

Oct 07, 2025 - 14:28 vuln.today

Public exploit code

Patch released

Oct 07, 2025 - 14:28 nvd

Patch available

CVE Published

Oct 01, 2025 - 21:16 nvd

HIGH 7.5

DescriptionNVD

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Analysis

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users.

RemediationAI

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.