Java
CVE-2026-25534
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result.
Patches
This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.
Workarounds
You can disable the various artifacts on this system to work around these limits.
AnalysisAI
Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Patched versions are available, and affected deployments can temporarily disable the vulnerable components as a workaround.
Technical ContextAI
The vulnerability affects Spinnaker's clouddriver-artifacts and orca-core components (identified via CPE as pkg:maven/io.spinnaker.clouddriver:clouddriver-artifacts and pkg:maven/io.spinnaker.orca:orca-core) which handle URL validation for user-supplied input. The root cause stems from CWE-918 (Server-Side Request Forgery), where Java's URL parsing logic incorrectly processes underscores, creating a gap in the validation mechanism. This implementation flaw specifically impacts the artifact handling functionality in both clouddriver and orca's fromUrl expression processing, allowing malicious actors to construct URLs that appear valid to the flawed validation logic but actually target unintended destinations.
RemediationAI
Immediately upgrade Spinnaker to versions 2025.4.1, 2025.3.1, 2025.2.4, or 2026.0.0 or later, which contain the fix documented in commit 7c4737906239a958a468e843239c6785b03d0eda. If immediate patching is not possible, disable artifact functionality in the affected systems as a temporary workaround, though this may impact operational capabilities. Review the vendor advisories at https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38 and monitor https://github.com/advisories/GHSA-8r8j-gfhg-fw38 for additional updates.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8r8j-gfhg-fw38