Description

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint

Summary

This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

Details

The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.

The fix would be to enforce a limit on the size of the request being parsed.

PoC

Port-forward to the argocd-server service, like so:

kubectl port-forward svc/argocd-server -n argocd 8080:443

Run the below code:

package main

import (
	"crypto/tls"
	"io"
	"net/http"
)
...
Show more

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.6 v2.10.15 v2.9.20

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by Jakub Ciolek

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Mitigation

Aliases

References