CVE-2025-61916
Server-Side Request Forgery in Spinnaker Artifact Handling Exposes Credentials
Publication date: 2026-01-05
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | spinnaker | to 2025.1.6 (exc) |
| linuxfoundation | spinnaker | From 2025.2.0 (inc) to 2025.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a server-side request forgery (SSRF) in Spinnaker versions prior to 2025.1.6, 2025.2.3, and 2025.3.0. It allows users to fetch data from remote URLs and inject that data into Spinnaker pipelines via artifacts like helm or others. This can lead to extraction of sensitive authentication data such as idmsv1 credentials and internal Spinnaker API calls. The vulnerability requires an artifact enabled that allows user input of URLs (e.g., GitHub file artifacts, HTTP artifacts) and a system that consumes the artifact output. It can expose authentication data to arbitrary endpoints, potentially leaking credentials. The vulnerability can be mitigated by disabling HTTP account types that allow user input or using policies to restrict invalid URLs.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive authentication data by allowing attackers to fetch and inject data from arbitrary URLs into Spinnaker pipelines. This can expose credentials such as GitHub authentication headers and internal API data, potentially compromising system security. It may also allow attackers to access internal metadata like AWS Metadata information, leading to further security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Spinnaker installation has enabled artifact providers that allow user input of URLs, such as GitHub file artifacts, BitBucket, GitLab, HTTP artifacts, or similar. You should verify if HTTP artifact providers are enabled, as they add a no-auth HTTP provider that can be exploited. Additionally, monitor for unusual requests to internal Spinnaker APIs or unexpected fetches of remote URLs. Specific commands are not provided in the context.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Spinnaker to versions 2025.1.6, 2025.2.3, or 2025.3.0 where the vulnerability is fixed. As a workaround, disable HTTP account types that allow user input of URLs, although this may not be feasible in many cases. Using artifact account types like Git, Docker, or others with explicit URL configurations is safer as they limit artifact URL loading. Alternatively, implement OPA policies from vendors to restrict pipelines from accessing or saving pipelines with invalid URLs.