Description
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.
Problem types
CWE-502: Deserialization of Untrusted Data
Product status
>= 2026.0.0, < 2026.0.3
>= 2025.4.0, < 2025.4.4
< 2025.3.4
References
github.com/...nnaker/security/advisories/GHSA-p68j-q7hf-3qcp
github.com/...ommit/2d75818b85cc4c35144d5e5ed45e7340fcab5dfe
github.com/...ommit/bbc30c9b9034a056e95f012fa1b34e9fd703cae7
github.com/...ommit/de5a7a05af35aee19eb71d289cd0b77f67509009
github.com/...ommit/df32d568e82519d9f3896fc9007baba0077c87fd
github.com/...ommit/f5cec213f8cf207843ed5a6929395960a1ca094f
github.com/spinnaker/spinnaker/releases/tag/rosco-2025.3.4
github.com/spinnaker/spinnaker/releases/tag/rosco-2025.4.4
github.com/spinnaker/spinnaker/releases/tag/rosco-2026.0.3
github.com/spinnaker/spinnaker/releases/tag/rosco-2026.1.1
github.com/spinnaker/spinnaker/releases/tag/rosco-2026.2.0