PT-2026-25777 · Spinnaker · Spinnaker
Codewobbler
+1
·
Published
2026-01-05
·
Updated
2026-03-20
·
CVE-2026-25534
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Spinnaker versions prior to 2025.4.1
Spinnaker versions prior to 2025.3.1
Spinnaker versions prior to 2025.2.4
Spinnaker version 2026.0.0
Description
Spinnaker updated the URL validation logic for user input to sanitize URLs for clouddriver. However, Java URL objects do not correctly handle underscores during parsing, leading to a bypass of a previous issue. This impacts both clouddriver and Orca fromUrl expression handling. The issue stems from a flaw in how Java URL objects process underscores within URLs, effectively circumventing the intended URL validation.
Recommendations
Versions prior to 2025.4.1 should be updated to version 2025.4.1 or later.
Versions prior to 2025.3.1 should be updated to version 2025.3.1 or later.
Versions prior to 2025.2.4 should be updated to version 2025.2.4 or later.
Version 2026.0.0 contains a fix for this vulnerability.
Exploit
Fix
SSRF
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Spinnaker