Platform
java
Component
io.spinnaker.clouddriver:clouddriver-artifacts
Fixed in
2025.1.7
2025.2.1
2025.1.7
2025.2.4
2025.1.6
CVE-2025-61916 describes a Server-Side Request Forgery (SSRF) vulnerability within the io.spinnaker.clouddriver:clouddriver-artifacts component of Spinnaker. This vulnerability allows attackers to potentially extract sensitive data, including authentication information, by manipulating artifact configurations. The vulnerability impacts Spinnaker Clouddriver Artifacts versions up to and including main-99. A fix is available in version 2025.1.6.
The core impact of CVE-2025-61916 lies in the ability to trigger arbitrary HTTP requests from the Spinnaker server. An attacker can leverage this SSRF vulnerability to fetch data from remote URLs and inject it into Spinnaker pipelines, particularly through the use of Helm or other artifact types. This can lead to the exposure of sensitive information, such as idmsv1 authentication data, and the ability to call internal Spinnaker APIs. Furthermore, depending on the artifact configuration, authentication headers (e.g., GitHub authentication tokens) may be exposed to external endpoints, resulting in credential theft. The blast radius extends to any system accessible via the remote URL, potentially including internal services and external APIs.
CVE-2025-61916 was publicly disclosed on January 5, 2026. The vulnerability's impact, allowing for data exfiltration and potential credential theft, suggests a medium probability of exploitation. There are currently no publicly known active campaigns targeting this vulnerability, but the availability of SSRF vulnerabilities often leads to opportunistic exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-61916 is to upgrade Spinnaker Clouddriver Artifacts to version 2025.1.6 or later. Prior to upgrading, carefully review the release notes for any breaking changes that may impact existing pipelines or configurations. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the Spinnaker server to only trusted domains. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests, particularly those targeting internal or sensitive endpoints. Monitor Spinnaker logs for unusual outbound HTTP requests that may indicate exploitation attempts.
Update Spinnaker to version 2025.1.6, 2025.2.3 or 2025.3.0 or later. Alternatively, disable HTTP account types that allow URL input from the user. Consider using OPA policies to restrict access to invalid URLs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61916 is a Server-Side Request Forgery vulnerability in Spinnaker Clouddriver Artifacts that allows attackers to fetch remote data and potentially expose sensitive information.
You are affected if you are using Spinnaker Clouddriver Artifacts versions ≤main-99. Upgrade to 2025.1.6 to mitigate the risk.
Upgrade Spinnaker Clouddriver Artifacts to version 2025.1.6 or later. Review release notes for potential breaking changes before upgrading.
There are currently no publicly known active campaigns targeting this vulnerability, but the SSRF nature suggests a potential for opportunistic exploitation.
Refer to the Spinnaker security advisories and release notes on the official Spinnaker website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.