CVE-2025-61916
7.9
Spinnaker Adrift: Sinking the Cloud with SSRF in Clouddriver
Amit Schendel
Senior Security ResearcherJan 6, 2026·5 min read·3 visits
PoC Available
Executive Summary (TL;DR)
Spinnaker's Clouddriver service blindly fetches URLs defined in pipeline artifacts. Attackers can define a malicious HTTP artifact pointing to `169.254.169.254` (AWS Metadata), trigger a pipeline, and exfiltrate the returned IAM credentials via the pipeline's execution logs or baked manifests.
A critical Server-Side Request Forgery (SSRF) vulnerability in Spinnaker's Clouddriver component allows authenticated users to trick the platform into fetching arbitrary internal URLs. By exploiting artifact providers, attackers can pivot through the deployment server to steal cloud metadata credentials or map internal networks.
Official Patches
Technical Appendix
CVSS Score
7.9/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:LAffected Systems
Spinnaker Clouddriver MicroserviceSpinnaker Rosco (indirectly as consumer)Kubernetes Deployments using Spinnaker
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Spinnaker Spinnaker | < 2025.1.6 | 2025.1.6 |
Spinnaker Spinnaker | 2025.2.0 - 2025.2.2 | 2025.2.3 |
clouddriver Spinnaker | < 2025.0.9 | 2025.0.9 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-918 (SSRF) |
| CVSS v3.1 | 7.9 (High) |
| Attack Vector | Local / Authenticated UI |
| Impact | Credential Theft / Internal Recon |
| Status | Patched |
| Exploitability | High (Trivial PoC) |
MITRE ATT&CK Mapping
CWE-918
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) occurs when a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, often bypassing firewalls.
Known Exploits & Detection
Vulnerability Timeline
CVE Published
2026-01-05
Patched versions released
2026-01-05