Plattform
java
Komponente
io.spinnaker.clouddriver:clouddriver-artifacts
Behoben in
2025.2.5
2025.3.1
2025.4.1
2025.2.5
2025.3.1
2025.4.1
2025.2.4
CVE-2026-25534 is a critical vulnerability affecting Spinnaker Clouddriver Artifacts versions up to main-99. This flaw allows attackers to bypass URL validation logic, enabling malicious URL manipulation. The vulnerability stems from improper handling of underscores in Java URL objects, effectively circumventing previous mitigation efforts related to CVE-2025-61916. Affected versions include those prior to 2025.2.4, with a fix available in those versions and later.
This URL bypass vulnerability allows attackers to craft malicious URLs that bypass Spinnaker's intended URL validation mechanisms. Successful exploitation could lead to arbitrary code execution within the Spinnaker environment, granting an attacker significant control over the affected system. The impact extends beyond just the artifacts component, as the underlying URL parsing issue affects Orca’s fromUrl expression handling as well. This means an attacker could potentially manipulate deployments or other critical Spinnaker operations by injecting malicious code through crafted URLs. The blast radius is significant, potentially impacting all pipelines and deployments managed by Spinnaker.
CVE-2026-25534 was publicly disclosed on March 16, 2026. The vulnerability is considered critical due to its potential for arbitrary code execution. While no public proof-of-concept (PoC) has been released as of this writing, the bypass nature of the vulnerability and its impact on critical infrastructure suggest a high probability of exploitation. It's recommended to prioritize patching this vulnerability.
Organizations heavily reliant on Spinnaker for continuous delivery pipelines are at significant risk. Specifically, those using older versions of Spinnaker (≤main-99) and those with custom fromUrl expressions in Orca are particularly vulnerable. Shared hosting environments utilizing Spinnaker also face increased risk due to potential cross-tenant exploitation.
• linux / server:
journalctl -u spinnaker-clouddriver -g 'URL validation' | grep -i underscore• generic web:
curl -I <spinnaker_url>/artifacts/ | grep 'Content-Type:'• generic web:
grep -i 'underscore' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25534 is to upgrade Spinnaker Clouddriver Artifacts to version 2025.2.4 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter URL filtering rules at the proxy or WAF level to block URLs containing suspicious characters or patterns. Specifically, look for URLs containing underscores in unexpected locations. Review and audit existing fromUrl expressions in Orca to identify and sanitize any potentially vulnerable configurations. After upgrading, confirm the fix by attempting to inject a crafted URL (e.g., http://example.com/_evil) and verifying that it is properly blocked or sanitized.
Aktualisieren Sie Spinnaker clouddriver und orca auf die Versionen 2025.4.1, 2025.3.1, 2025.2.4 oder 2026.0.0 oder höher. Alternativ können Sie die betroffenen Artefakte im System deaktivieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25534 is a critical vulnerability in Spinnaker Clouddriver Artifacts allowing attackers to bypass URL validation due to improper handling of underscores. This can lead to potential code execution.
Yes, if you are using Spinnaker Clouddriver Artifacts versions prior to 2025.2.4 (≤main-99), you are affected by this vulnerability.
Upgrade Spinnaker Clouddriver Artifacts to version 2025.2.4 or later. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the vulnerability's nature and connection to a previous CVE suggest a potential for exploitation.
Refer to the Spinnaker project's security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.