VDB
KO
HIGH 8.5

GHSA-c8q4-9h32-2ww8

Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types

Details

### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking

The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

### Patches 2025.3.3, 2026.0.3 and 2025.4.4.

### Workarounds Disable the CloudFormation system and cloudfoundry baking operations.

### Resources Join Spinnaker on Slack for more information!

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.spinnaker.rosco:rosco-core
Introduced in: 0 Fixed in: 2025.3.3
Fix # pom.xml: bump <version>2025.3.3</version> for io.spinnaker.rosco:rosco-core
Maven / io.spinnaker.orca:orca-core
Introduced in: 0 Fixed in: 2025.3.3
Fix # pom.xml: bump <version>2025.3.3</version> for io.spinnaker.orca:orca-core
Maven / io.spinnaker.rosco:rosco-core
Introduced in: 2025.4.0 Fixed in: 2025.4.4
Fix # pom.xml: bump <version>2025.4.4</version> for io.spinnaker.rosco:rosco-core
Maven / io.spinnaker.rosco:rosco-core
Introduced in: 2026.0.0 Fixed in: 2026.0.3
Fix # pom.xml: bump <version>2026.0.3</version> for io.spinnaker.rosco:rosco-core
Maven / io.spinnaker.orca:orca-core
Introduced in: 2025.4.0 Fixed in: 2025.4.4
Fix # pom.xml: bump <version>2025.4.4</version> for io.spinnaker.orca:orca-core
Maven / io.spinnaker.orca:orca-core
Introduced in: 2026.0.0 Fixed in: 2026.0.3
Fix # pom.xml: bump <version>2026.0.3</version> for io.spinnaker.orca:orca-core

References