CVE-2025-61916

CVE-2025-61916 is a high-severity improper input validation vulnerability in io.spinnaker.clouddriver:clouddriver-artifacts (maven), affecting versions < 2025.1.6. It is fixed in 2025.1.6, 2025.2.3.

Summary

Workarounds

Disable HTTP account types that allow user input of a given URL. This is probably not feasible in MOST cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading.

Alternatively using one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs.

Impact

The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints. Further, depending upon the artifact configuration, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure.

To trigger this, a Spinnaker installation MUST have:

  • An artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information).
  • A system that can consume the output of these artifacts. E.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail.

To note, due to the way the URLs are viable to be injected, CERTAIN systems can be used to provide DOS attacks on Spinnaker itself. These would NOT compromise the system per se, given restarts and timeout configuration, but could lead to internal attacks by a Spinnaker user against Spinnaker services. An example is that an artifact fetch reference could return an infinite response data feed or similar that can act as a DOS attack. It's recommended to set strong limits on the various http limits AND artifact URLs to known valid URLs.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2025-61916 has a CVSS score of 7.9 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2025.1.6, 2025.2.3); upgrading removes the vulnerable code path.

Affected versions

io.spinnaker.clouddriver:clouddriver-artifacts (< 2025.1.6) io.spinnaker.clouddriver:clouddriver-artifacts (>= 2025.2.0, < 2025.2.3)

Security releases

io.spinnaker.clouddriver:clouddriver-artifacts → 2025.1.6 (maven) io.spinnaker.clouddriver:clouddriver-artifacts → 2025.2.3 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in clouddriver versiosn 2025.2.3, 2025.1.5, 2025.0.9. Impacts all prior Spinnaker releases.

Frequently Asked Questions

  1. What is CVE-2025-61916? CVE-2025-61916 is a high-severity improper input validation vulnerability in io.spinnaker.clouddriver:clouddriver-artifacts (maven), affecting versions < 2025.1.6. It is fixed in 2025.1.6, 2025.2.3. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2025-61916? CVE-2025-61916 has a CVSS score of 7.9 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.spinnaker.clouddriver:clouddriver-artifacts are affected by CVE-2025-61916? io.spinnaker.clouddriver:clouddriver-artifacts (maven) versions < 2025.1.6 is affected.
  4. Is there a fix for CVE-2025-61916? Yes. CVE-2025-61916 is fixed in 2025.1.6, 2025.2.3. Upgrade to this version or later.
  5. Is CVE-2025-61916 exploitable, and should I be worried? Whether CVE-2025-61916 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-61916 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-61916?
    • Upgrade io.spinnaker.clouddriver:clouddriver-artifacts to 2025.1.6 or later
    • Upgrade io.spinnaker.clouddriver:clouddriver-artifacts to 2025.2.3 or later

Other vulnerabilities in io.spinnaker.clouddriver:clouddriver-artifacts

CVE-2026-25534

Stop the waste.
Protect your environment with Kodem.