GHSA-c8q4-9h32-2ww8HighCVSS 8.5

Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types

Published
June 22, 2026
Last Modified
June 22, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:

  • CloudFormation deployments
  • CloudFoundry Baking

The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

Patches

2025.3.3, 2026.0.3 and 2025.4.4.

Workarounds

Disable the CloudFormation system and cloudfoundry baking operations.

Resources

Join Spinnaker on Slack for more information!

🎯 Affected products6

  • maven/io.spinnaker.rosco:rosco-core:< 2025.3.3
  • maven/io.spinnaker.orca:orca-core:< 2025.3.3
  • maven/io.spinnaker.rosco:rosco-core:>= 2025.4.0, < 2025.4.4
  • maven/io.spinnaker.rosco:rosco-core:>= 2026.0.0, < 2026.0.3
  • maven/io.spinnaker.orca:orca-core:>= 2025.4.0, < 2025.4.4
  • maven/io.spinnaker.orca:orca-core:>= 2026.0.0, < 2026.0.3

🔗 References (2)