Argo Workflows Webhook Interceptor Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Argo Workflows versions prior to 3.7.14 and 4.0.0 through 4.0.5. The issue arises in the Webhook Interceptor, which loads the entire request body into memory before authenticating the request or verifying its signature. This vulnerability is present on the publicly accessible '/api/v1/events/' endpoint, intended for webhooks. An attacker can exploit this by sending a request with an excessively large body, potentially leading to an Out-Of-Memory crash and service disruption.

Impact

Exploitation of this vulnerability can cause the Argo Server to crash, disrupting workflow execution and API access for all users.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/events/' endpoint of a vulnerable Argo Workflows server. Include a 'Content-Length' header indicating a size greater than 2MB, and stream a body that exceeds this limit. The server's memory usage will spike, potentially leading to a crash.

Remediation

Users can update to Argo Workflows versions 3.7.14 or 4.0.5, where this vulnerability has been patched. Instructions for updating are available in the Argo Workflows upgrading guide.