CVE-2026-25534 PUBLISHED

Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Assigner: GitHub_M
Reserved: 02.02.2026 Published: 17.03.2026 Updated: 17.03.2026
<h3>Impact</h3>

Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result.

<h3>Patches</h3>

This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.

<h3>Workarounds</h3>

You can disable the various artifacts on this system to work around these limits.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
CVSS Score: 9.1

Product Status

Vendor io.spinnaker.clouddriver
Product clouddriver-artifacts
Versions
  • Version < 2025.2.4 is affected
  • Version >= 2025.3.0, < 2025.3.1 is affected
  • Version >= 2025.4.0, < 2025.4.1 is affected
Vendor io.spinnaker.orca
Product orca-core
Versions
  • Version < 2025.2.4 is affected
  • Version >= 2025.3.0, < 2025.3.1 is affected
  • Version >= 2025.4.0, < 2025.4.1 is affected

References

Problem Types

  • CWE-918: Server-Side Request Forgery (SSRF) CWE