CVE-2025-61916

Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 2025.1.6 Spinnaker versions prior to 2025.2.3 Spinnaker versions prior to 2025.3.0

Description Spinnaker, an open source, multi-cloud continuous delivery platform, is susceptible to server-side request forgery. This allows users to fetch data from a remote URL, potentially injecting it into Spinnaker pipelines via tools like helm. This can lead to the exposure of sensitive data, including authentication information (like idmsv1 authentication data and GitHub auth headers) and access to internal Spinnaker APIs via GET requests. The issue requires a Spinnaker installation with an artifact enabled that accepts user input, such as GitHub file artifacts, BitBucket, GitLab, or HTTP artifacts. A system capable of consuming the output of these artifacts is also necessary. The vulnerability is triggered when an artifact fetches data from a URL and that data is then used within the pipeline.

Recommendations Versions prior to 2025.1.6 should be updated to version 2025.1.6 or later. Versions prior to 2025.2.3 should be updated to version 2025.2.3 or later. Versions prior to 2025.3.0 should be updated to version 2025.3.0 or later. Disable HTTP account types that allow user input of a given URL. Utilize Open Policy Agent (OPA) policies to restrict pipelines from accessing or saving pipelines with invalid URLs.