{"id":"CVE-2022-31016","summary":"Argo CD vulnerable to Uncontrolled Memory Consumption","details":"Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.","aliases":["GHSA-jhqp-vf4w-rpwq","GO-2022-0495"],"modified":"2026-04-17T04:22:10.984425Z","published":"2022-06-25T07:40:10Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0.7.0"},{"fixed":"2.1.16"},{"introduced":"2.0.0"},{"fixed":"2.2.10"},{"introduced":"2.3.0"},{"fixed":"2.3.5"}]}],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31016.json","cwe_ids":["CWE-400"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31016.json"},{"type":"ADVISORY","url":"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31016"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/argoproj/argo-cd","events":[{"introduced":"6fc345f555dff62d232fe03bf17b8bf84d7f1b5d"},{"fixed":"903db5fe464032bd5a10bf32fe17639e76634c2a"},{"introduced":"6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a"},{"fixed":"8db0e57b738ff5b0b276031573576fdc3498c04f"},{"introduced":"fe427802293b090f43f91f5839393174df6c3b3a"},{"fixed":"1287d24bfe47bcaa6e791e5ff12fa1c1bf57a442"},{"introduced":"91aefabc5b213a258ddcfe04b8e69bb4a2dd2566"},{"fixed":"52e6025f8b565705025d029e8bed36d6caa5ecf7"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.7.0"},{"fixed":"2.1.16"},{"introduced":"2.2.0"},{"fixed":"2.2.10"},{"introduced":"2.3.0"},{"fixed":"2.3.5"},{"introduced":"2.4.0"},{"fixed":"2.4.1"}]}}],"versions":["v0.7.0","v0.7.1","v0.8.0","v2.1.0","v2.1.0-rc1","v2.1.0-rc2","v2.1.0-rc3","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-31016.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}