logo

Database

Insecure deserialization In io.spinnaker.rosco:rosco-core

Description

Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types

Impact

There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing:

    CloudFormation deployments

    CloudFoundry Baking

The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to RCE.

Patches

2025.3.3, 2026.0.3 and 2025.4.4.

Workarounds

Disable the CloudFormation system and cloudfoundry baking operations.

Resources

Join Spinnaker on Slack for more information!

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-447952. NVD-2026-447953. OSV-2026-447954. GHSA-c8q4-9h32-2ww85. GCVE-2026-44795

References

1. https://github.com/spinnaker/spinnaker/security/advisories/GHSA-c8q4-9h32-2ww8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.