CVE-2024-29893

Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.61%
Vendor Advisory github.com
Affected: argoproj argo-cd
Published at:
Updated at:

References

Link Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3 vendor advisory
https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d patch
https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59 patch
https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd patch

Frequently Asked Questions

What is the severity of CVE-2024-29893?
CVE-2024-29893 has been scored as a medium severity vulnerability.
How to fix CVE-2024-29893?
To fix CVE-2024-29893, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-29893 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-29893 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-29893?
CVE-2024-29893 affects argoproj argo-cd.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.