CVE-2026-25534: Spinnaker SSRF Bypass via Java URL Underscore Parsing Quirk
A critical server-side request forgery (SSRF) vulnerability has been disclosed in Spinnaker, the open-source continuous delivery platform, tracked as CVE-2026-25534 (CVSS 9.1, Critical). The flaw affects the clouddriver and orca-core components and represents a bypass of the security fix for CVE-2025-61916 — a previous SSRF vulnerability in the same components.
The bypass exploits a well-documented quirk in Java's java.net.URL class: Java does not correctly validate hostnames containing underscores, causing URL sanitization regex patterns to treat underscore-containing URLs as valid when they should be blocked. An attacker with low-privilege authenticated access to Spinnaker can use crafted URLs to make the backend issue HTTP requests to internal services — including cloud provider metadata endpoints (AWS IMDS, GCP metadata) and cluster-internal APIs.
Fixed versions are available across all affected branches as of March 17, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-25534 |
| CVSS Score | 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L |
| CWE Classification | CWE-918 — Server-Side Request Forgery (SSRF) |
| Affected Components | Spinnaker clouddriver (artifact fetching), orca-core (fromUrl expressions) |
| Affected Versions | < 2025.2.4, 2025.3.0, 2025.4.0 |
| Fixed Versions | 2025.2.4, 2025.3.1, 2025.4.1, 2026.0.0+ |
| Attack Vector | Network |
| Authentication Required | Low (authenticated Spinnaker user) |
| Scope | Changed — backend makes requests to internal/restricted hosts |
| Bypasses | CVE-2025-61916 URL validation patch |
| In-the-Wild Exploitation | Not confirmed |
| Patch Available | Yes — March 17, 2026 |
Technical Analysis
Background: CVE-2025-61916 and the Failed Fix
CVE-2025-61916 was an SSRF vulnerability in Spinnaker's clouddriver component that allowed users to supply artifact URLs pointing to internal hosts. The fix added URL sanitization logic to block requests to private IP ranges, metadata endpoints, and restricted hostnames.
CVE-2026-25534 demonstrates that this fix was incomplete due to a Java URL parsing edge case.
Java's Underscore Hostname Parsing Bug
Java's java.net.URL class does not reject hostnames containing underscores, despite underscores being technically invalid in DNS hostnames per RFC standards. More critically, Java's URL parser handles underscores inconsistently — in certain configurations, it misclassifies parts of a URL when underscores are present in the hostname or path segments, causing the URL to be parsed differently than the validation regex expects.
The exploit pattern:
# Valid internal metadata endpoint (correctly blocked by CVE-2025-61916 fix)
http://169.254.169.254/latest/meta-data/
# Bypass using underscore — Java URL parser mishandles; regex validation passes
http://169.254.169_254/latest/meta-data/ # hostname segment split incorrectly
http://169.254.169.254_attacker.com@internal/ # auth-based confusion
http://foo_bar.169.254.169.254.nip.io/ # underscore in subdomain bypasses regexThe exact bypass variant depends on which URL validation approach was implemented for CVE-2025-61916 — the common factor is that carelessly constructed URL validation using Java's URL class as a parser is unreliable for security decisions.
Affected Components
clouddriver — Artifact URL Fetching:
Spinnaker's clouddriver fetches artifacts (deployment manifests, configuration files, Docker images) from URLs supplied by users or pipeline configurations. The SSRF allows these fetches to reach internal services.
orca-core — fromUrl Expressions:
Spinnaker's orca pipeline execution engine supports fromUrl expressions that resolve values from remote URLs during pipeline execution. These expressions are also affected by the validation bypass.
Attack Scenarios
Scenario 1: Cloud Provider Metadata Exfiltration
1. Attacker logs into Spinnaker with any valid user account (PR:L)
2. Creates a pipeline artifact or uses a fromUrl expression pointing to:
http://169.254.169_254/latest/meta-data/iam/security-credentials/
3. Spinnaker's clouddriver fetches the URL — Java URL parser accepts it,
validation regex is bypassed
4. Spinnaker returns the AWS IMDS response containing:
- IAM role access keys (AccessKeyId, SecretAccessKey, Token)
- Instance profile ARN and permissions
5. Attacker uses exfiltrated credentials to access AWS resources directlyScenario 2: Internal API Access
1. Attacker maps internal Spinnaker deployment's network topology via previous recon
2. Crafts URLs targeting internal services:
- Kubernetes API server: https://kubernetes.default.svc_cluster.local/api/v1/secrets/
- Internal databases: http://db_internal.service/admin/
- Other microservices not exposed externally
3. Uses fromUrl pipeline expressions to retrieve sensitive internal API responses
4. Exfiltrates internal API responses through pipeline execution resultsImpact Assessment
| Impact Area | Description |
|---|---|
| Cloud Credential Theft | AWS/GCP/Azure IMDS access enables IAM credential exfiltration from cloud-hosted deployments |
| Internal Network Pivot | SSRF allows probing and accessing internal services not reachable from the internet |
| Secret Exfiltration | Kubernetes Secret API access, internal credential stores, configuration endpoints |
| CI/CD Pipeline Integrity | Attacker-controlled artifact URLs could inject malicious deployment payloads |
| Scope | Any organization running Spinnaker in a cloud environment with instance metadata available |
| Prerequisite | Only requires a valid Spinnaker user account — accessible to any developer with pipeline access |
Remediation
Primary Fix: Upgrade Affected Components
Upgrade clouddriver and orca-core to the appropriate fixed version for your release branch:
| Branch | Vulnerable | Fixed |
|---|---|---|
| 2025.2.x | < 2025.2.4 | 2025.2.4 |
| 2025.3.x | 2025.3.0 | 2025.3.1 |
| 2025.4.x | 2025.4.0 | 2025.4.1 |
| 2026.0.x | N/A | 2026.0.0+ (clean) |
# Update clouddriver and orca via Halyard (Spinnaker configuration tool)
hal config version edit --version <target-version>
hal deploy apply --service-names clouddriver,orca
# Verify deployed component versions
hal deploy collect-logsDisable Affected Artifact Types (Workaround)
If immediate patching is not feasible, disable HTTP/HTTPS artifact types in clouddriver configuration to eliminate the SSRF attack surface:
# In clouddriver-local.yml
artifacts:
http:
enabled: falseNote: This may impact legitimate pipelines that fetch artifacts from HTTP URLs.
Network Egress Restrictions
Implement egress filtering on the Spinnaker backend to block requests to internal IP ranges:
# Block Spinnaker pods from reaching cloud metadata endpoints
# (Kubernetes NetworkPolicy example)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: block-metadata-egress
namespace: spinnaker
spec:
podSelector:
matchLabels:
app: clouddriver
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.0.0/16 # Link-local (metadata services)
- 10.0.0.0/8 # Internal RFC1918
- 172.16.0.0/12 # Internal RFC1918
- 192.168.0.0/16 # Internal RFC1918Key Takeaways
- CVE-2026-25534 bypasses the CVE-2025-61916 URL validation patch in Spinnaker via Java's flawed handling of underscores in hostnames — a known Java URL parser edge case
- CVSS 9.1 (Critical) — low authentication bar (any Spinnaker user), scope change to internal network and cloud metadata services
- Two components affected:
clouddriver(artifact fetching) andorca-core(fromUrlpipeline expressions) — both require patching - AWS IMDS exploitation is the highest-risk scenario for cloud-hosted Spinnaker deployments — exfiltrated IAM credentials could enable full account compromise
- Patch to the appropriate fixed version (2025.2.4, 2025.3.1, 2025.4.1, or 2026.0.0+) as the primary remediation
- Defense-in-depth: implement Kubernetes NetworkPolicy egress restrictions to block metadata endpoint access from Spinnaker pods regardless of application-level validation
Sources
- CVE-2026-25534 — NIST NVD
- CVE-2026-25534 — GitLab Advisory (clouddriver-artifacts)
- CVE-2026-25534 — GitLab Advisory (orca-core)
- Spinnaker Critical URL Validation Bypass CVE-2026-25534 — TheHackerWire
- CVE-2026-25534 — CIRCL Vulnerability Lookup
- Fix Commit: url validation handling on underscores — Spinnaker GitHub