Developer Tools

In Rancher Manager versions 2.9.0 through 2.9.11, 2.10.0 through 2.10.9, 2.11.0 through 2.11.5, and 2.12.0 through 2.12.1 a high severity vulnerability CVE-2024-58260 was detected. A missing server-side validation on the .username field allows users with update permissions on other User resources to cause denial of access for targeted accounts, potentially impacting system availability and user access. To address this issue, users should upgrade Rancher Manager to versions 2.9.12, 2.10.10, 2.11.6, 2.12.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-58260.

In Rancher Manager versions 2.9.0 through 2.9.11, 2.10.0 through 2.10.9, 2.11.0 through 2.11.5, and 2.12.0 through 2.12.1 a medium severity vulnerability CVE-2025-54468 was detected. The /meta/proxy endpoint may send Impersonate-Extra-* headers to external entities, such as amazonaws.com. These headers can contain identifiable or sensitive information, including email addresses. To address this issue, users should upgrade Rancher Manager to versions 2.9.12, 2.10.10, 2.11.6, 2.12.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54468.

In Argo CD versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6, and 3.0.17 a high severity vulnerability CVE-2025-59538 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) by sending a malformed Azure DevOps git.push webhook to the /api/webhook endpoint when webhook.azuredevops.username and webhook.azuredevops.password are not set, causing the server process to crash due to an index-out-of-range panic on an empty JSON array. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59538.

In Argo CD versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 a high severity vulnerability CVE-2025-59537 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition by sending a malformed Gogs webhook payload to the `/api/webhook` endpoint when `webhook.gogs.secret` is not set, causing the Argo CD server process to crash if the `commits[].repo` field in the JSON payload is missing or null. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59537.

In Argo CD versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 a high severity vulnerability CVE-2025-59531 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service (DoS) condition by sending a malformed Bitbucket Server webhook payload to the `/api/webhook` endpoint when `webhook.bitbucketserver.secret` is not configured, causing the Argo CD server process to crash and potentially triggering a full API outage. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8 or 3.0.19. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-59531.

In Argo CD versions between 2.1.0 and 2.14.19, 3.2.0-rc1, 3.1.0-rc1 through 3.1.7, and 3.0.0-rc1 through 3.0.18 a high severity vulnerability CVE-2025-55191 was detected. This vulnerability allows authenticated attackers with repository permissions to trigger a race condition in the repository credentials handler, causing the Argo CD server to panic and crash, leading to denial-of-service. To address this issue, users should upgrade Argo CD to versions 2.14.20, 3.2.0-rc2, 3.1.8, 3.0.19 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55191.

In GitLab CE/EE versions from 11.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 a high severity vulnerability CVE-2025-8014 was detected. This issue allows unauthenticated users to bypass GraphQL query complexity limits, causing uncontrolled CPU consumption and potential Denial of Service (DoS). To address this issue, users should upgrade GitLab to versions 18.2.7, 18.3.3, 18.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8014.

In GitLab EE versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 a medium severity vulnerability CVE-2025-7691 was detected. This privilege escalation issue could allow a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities. To address this issue, users should upgrade GitLab EE to versions 18.2.7, 18.3.3, 18.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7691.

In GitLab CE/EE versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 a low severity vulnerability CVE-2025-5069 was detected. This issue could allow an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name to the victim’s project. To address this issue, users should upgrade GitLab CE/EE to versions 18.2.7, 18.3.3, 18.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5069.