CVE-2025-27616

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5
https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b
https://github.com/go-vela/server/releases/tag/v0.25.3
https://github.com/go-vela/server/releases/tag/v0.26.3
https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x

Configurations

No configuration.

History

10 Mar 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 19:15

Updated : 2025-03-10 19:15

NVD link : CVE-2025-27616

Mitre link : CVE-2025-27616

CVE.ORG link : CVE-2025-27616

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

CWE-345

Insufficient Verification of Data Authenticity

8.5 /10