CVE-2026-25534

CRITICAL EPSS 15.8%
Published Mar 17, 20263mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Mar 17, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.

CVSS Details

Base Score
9.1
Exploitability
3.1
Impact
5.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
15.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

References 3

  • github.com https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda
  • github.com https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38
  • github.com https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.