CVE-2025-27616

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-27616
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

8.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5
https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b
https://github.com/go-vela/server/releases/tag/v0.25.3
https://github.com/go-vela/server/releases/tag/v0.26.3
https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Vela es un framework de automatización de canalización (CI/CD) creado con tecnología de contenedores Linux escrito en Golang. Antes de las versiones 0.25.3 y 0.26.3, al falsificar el payload de un webhook con un conjunto específico de encabezados y datos de cuerpo, un atacante podía transferir la propiedad de un repositorio y sus secretos de nivel de repositorio a un repositorio separado. Estos secretos podrían ser exfiltrados por compilaciones de seguimiento al repositorio. Los usuarios con un repositorio habilitado con acceso a secretos de CI de nivel de repositorio en Vela son afectados por la vulnerabilidad, y cualquier usuario con acceso a la instancia de CI y al administrador de control de código fuente vinculado puede realizar la vulnerabilidad. Las versiones 0.25.3 y 0.26.3 solucionan el problema. No hay workarounds conocidos disponibles.

10 Mar 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-10 19:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-27616

Mitre link : CVE-2025-27616

CVE.ORG link : CVE-2025-27616

JSON object : View

Products Affected

No product.

CWE
CWE-290

Authentication Bypass by Spoofing

CWE-345

Insufficient Verification of Data Authenticity