FKIE_CVE-2026-25534

Vulnerability from fkie_nvd - Published: 2026-03-17 18:16 - Updated: 2026-04-16 14:46
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.
References
security-advisories@github.comhttps://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda
security-advisories@github.comhttps://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38
security-advisories@github.comhttps://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver.  However, they missed that Java URL objects do not correctly handle underscores on parsing.  This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs.  Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling.  This CVE impacts BOTH artifacts as a result.   \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.  \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits."
    },
    {
      "lang": "es",
      "value": "### Impacto\nSpinnaker actualiz\u00f3 la l\u00f3gica de validaci\u00f3n de URL en la entrada del usuario para proporcionar saneamiento en las URL ingresadas por el usuario para clouddriver. Sin embargo, pasaron por alto que los objetos URL de Java no manejan correctamente los guiones bajos al analizar. Esto llev\u00f3 a una omisi\u00f3n del CVE anterior (CVE-2025-61916) mediante el uso de URL cuidadosamente elaboradas. Tenga en cuenta que Spinnaker encontr\u00f3 esto no solo en ese CVE, sino en las validaciones de URL existentes en el manejo de expresiones fromUrl de Orca. Este CVE impacta AMBOS artefactos como resultado.\n\n### Parches\nEsto se ha fusionado y estar\u00e1 disponible en las versiones 2025.4.1, 2025.3.1, 2025.2.4 y 2026.0.0.\n\n### Soluciones provisionales\nPuede deshabilitar los diversos artefactos en este sistema para solucionar estas limitaciones."
    }
  ],
  "id": "CVE-2026-25534",
  "lastModified": "2026-04-16T14:46:24.290",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-17T18:16:15.063",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.