GHSA-c8q4-9h32-2ww8HighCVSS 8.5
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
🔗 CVE IDs covered (1)
📋 Description
Impact
There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:
- CloudFormation deployments
- CloudFoundry Baking
The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.
Patches
2025.3.3, 2026.0.3 and 2025.4.4.
Workarounds
Disable the CloudFormation system and cloudfoundry baking operations.
Resources
Join Spinnaker on Slack for more information!
🎯 Affected products6
- maven/io.spinnaker.rosco:rosco-core:< 2025.3.3
- maven/io.spinnaker.orca:orca-core:< 2025.3.3
- maven/io.spinnaker.rosco:rosco-core:>= 2025.4.0, < 2025.4.4
- maven/io.spinnaker.rosco:rosco-core:>= 2026.0.0, < 2026.0.3
- maven/io.spinnaker.orca:orca-core:>= 2025.4.0, < 2025.4.4
- maven/io.spinnaker.orca:orca-core:>= 2026.0.0, < 2026.0.3