CVE-2026-25534

{"id": "CVE-2026-25534", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}]}, "published": "2026-03-17T18:16:15.063", "references": [{"url": "https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda", "source": "security-advisories@github.com"}, {"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38", "source": "security-advisories@github.com"}, {"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "### Impact\nSpinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. \n\n### Patches\nThis has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. \n\n### Workarounds\nYou can disable the various artifacts on this system to work around these limits."}, {"lang": "es", "value": "### Impacto\nSpinnaker actualiz\u00f3 la l\u00f3gica de validaci\u00f3n de URL en la entrada del usuario para proporcionar saneamiento en las URL ingresadas por el usuario para clouddriver. Sin embargo, pasaron por alto que los objetos URL de Java no manejan correctamente los guiones bajos al analizar. Esto llev\u00f3 a una omisi\u00f3n del CVE anterior (CVE-2025-61916) mediante el uso de URL cuidadosamente elaboradas. Tenga en cuenta que Spinnaker encontr\u00f3 esto no solo en ese CVE, sino en las validaciones de URL existentes en el manejo de expresiones fromUrl de Orca. Este CVE impacta AMBOS artefactos como resultado.\n\n### Parches\nEsto se ha fusionado y estar\u00e1 disponible en las versiones 2025.4.1, 2025.3.1, 2025.2.4 y 2026.0.0.\n\n### Soluciones provisionales\nPuede deshabilitar los diversos artefactos en este sistema para solucionar estas limitaciones."}], "lastModified": "2026-03-18T14:52:44.227", "sourceIdentifier": "security-advisories@github.com"}