Spinnaker Clouddriver and Orca are vulnerable to a critical URL validation bypass that allows attackers to circumvent security sanitization using specially crafted URLs.

The vulnerability arises because Java URL objects do not correctly handle underscores during parsing, allowing attackers to bypass previous CVE fixes (CVE-2025-61916). This flaw affects both Clouddriver URL sanitation and Orca fromUrl expression handling.

A successful bypass of URL validation can lead to Server-Side Request Forgery (SSRF) or unauthorized data access within the cloud deployment pipeline. With a CVSS score of 9.1, this vulnerability represents a significant risk to the integrity of the CI/CD environment, potentially allowing attackers to interact with internal metadata services or protected resources.

Immediate Action: Update Spinnaker to versions 2025.4.1, 2025.3.1, 2025.2.4, or 2026.0.0 immediately to apply the necessary logic fixes for URL parsing.

Proactive Monitoring: Audit Spinnaker logs for suspicious URL patterns, particularly those containing underscores or targeting internal network ranges.

Compensating Controls: Organizations can temporarily disable the affected artifacts or restrict outbound network access from Spinnaker components to minimize the impact of a potential SSRF attack.

Public Exploit Available: false

It is critical to apply the latest Spinnaker patches immediately, as this vulnerability directly undermines the security controls of the cloud delivery platform. Ensure that all instances of Clouddriver and Orca are updated to the fixed versions to maintain pipeline security.