{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25534", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.373Z", "datePublished": "2026-03-17T17:27:41.345Z", "dateUpdated": "2026-03-17T17:58:31.817Z"}, "containers": {"cna": {"title": "Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38"}, {"name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h"}, {"name": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda"}], "affected": [{"vendor": "io.spinnaker.clouddriver", "product": "clouddriver-artifacts", "versions": [{"version": "< 2025.2.4", "status": "affected"}, {"version": ">= 2025.3.0, < 2025.3.1", "status": "affected"}, {"version": ">= 2025.4.0, < 2025.4.1", "status": "affected"}]}, {"vendor": "io.spinnaker.orca", "product": "orca-core", "versions": [{"version": "< 2025.2.4", "status": "affected"}, {"version": ">= 2025.3.0, < 2025.3.1", "status": "affected"}, {"version": ">= 2025.4.0, < 2025.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T17:27:41.345Z"}, "descriptions": [{"lang": "en", "value": "### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits."}], "source": {"advisory": "GHSA-8r8j-gfhg-fw38", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T17:48:58.716291Z", "id": "CVE-2026-25534", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T17:58:31.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25534", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T17:48:58.716291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T17:58:26.142Z"}}], "cna": {"title": "Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames", "source": {"advisory": "GHSA-8r8j-gfhg-fw38", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "io.spinnaker.clouddriver", "product": "clouddriver-artifacts", "versions": [{"status": "affected", "version": "< 2025.2.4"}, {"status": "affected", "version": ">= 2025.3.0, < 2025.3.1"}, {"status": "affected", "version": ">= 2025.4.0, < 2025.4.1"}]}, {"vendor": "io.spinnaker.orca", "product": "orca-core", "versions": [{"status": "affected", "version": "< 2025.2.4"}, {"status": "affected", "version": ">= 2025.3.0, < 2025.3.1"}, {"status": "affected", "version": ">= 2025.4.0, < 2025.4.1"}]}], "references": [{"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38", "name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h", "name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda", "name": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T17:27:41.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25534", "state": "PUBLISHED", "dateUpdated": "2026-03-17T17:58:31.817Z", "dateReserved": "2026-02-02T19:59:47.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T17:27:41.345Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits."}, {"lang": "es", "value": "### Impacto\nSpinnaker actualiz\u00f3 la l\u00f3gica de validaci\u00f3n de URL en la entrada del usuario para proporcionar saneamiento en las URL ingresadas por el usuario para clouddriver. Sin embargo, pasaron por alto que los objetos URL de Java no manejan correctamente los guiones bajos al analizar. Esto llev\u00f3 a una omisi\u00f3n del CVE anterior (CVE-2025-61916) mediante el uso de URL cuidadosamente elaboradas. Tenga en cuenta que Spinnaker encontr\u00f3 esto no solo en ese CVE, sino en las validaciones de URL existentes en el manejo de expresiones fromUrl de Orca. Este CVE impacta AMBOS artefactos como resultado.\n\n### Parches\nEsto se ha fusionado y estar\u00e1 disponible en las versiones 2025.4.1, 2025.3.1, 2025.2.4 y 2026.0.0.\n\n### Soluciones provisionales\nPuede deshabilitar los diversos artefactos en este sistema para solucionar estas limitaciones."}], "id": "CVE-2026-25534", "lastModified": "2026-04-16T14:46:24.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-17T18:16:15.063", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda"}, {"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38"}, {"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.3.0,2025.3.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.4.0,2025.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "clouddriver-artifacts", "source": "cna", "vendor": "io.spinnaker.clouddriver"}, "product": "clouddriver-artifacts", "vendor": "spinnaker"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.3.0,2025.3.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.4.0,2025.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "orca-core", "source": "cna", "vendor": "io.spinnaker.orca"}, "product": "orca", "vendor": "spinnaker"}], "analysis": {"en": {"generated_at": "2026-03-17T18:20:40.425832+00:00", "value": {"mitigation_remediation": ["Upgrade Spinnaker clouddriver to version 2025.4.1 or later (including 2026.0.0).", "Upgrade Spinnaker orca to version 2025.4.1 or later (including 2026.0.0).", "If an immediate upgrade is not possible, disable the affected artifacts on the system as a temporary mitigation."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products include io.spinnaker.clouddriver:clouddriver-artifacts and io.spinnaker.orca:orca-core. The vulnerability affects all earlier releases and is fixed in 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0, so any instance running a version before these is vulnerable.", "description_and_impact": "This vulnerability arises from a flaw in Spinnaker\u2019s URL validation logic, where Java URL objects fail to handle underscores in hostnames correctly. The result is a validation bypass that reproduces the conditions of the earlier CVE\u20112025\u201161916 and allows an attacker to supply crafted URLs that are treated as safe. The impact is a potential for arbitrary code execution or control over the Spinnaker deployment, as malicious URLs may be executed by the system when processed by clouddriver or orca.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 9.1, indicating a high risk of exploitation. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to supply a malicious URL to a user\u2011facing endpoint; no local privilege escalation or other initial access requirements are noted in the provided description."}}}}, "created": "2026-03-18T12:13:05.347616+00:00", "updated": "2026-03-24T10:48:59.938759+00:00", "vendors": ["spinnaker", "spinnaker$PRODUCT$clouddriver-artifacts", "spinnaker$PRODUCT$orca"]}