Description

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

INFO

Published Date :

2025-03-10T18:56:14.537Z

Last Modified :

2025-03-11T18:56:11.199Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-27616 vulnerability.

Vendors Products
Go-vela
  • Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-27616.

URL Resource
https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5 cve-icon cve-icon
https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b cve-icon cve-icon
https://github.com/go-vela/server/releases/tag/v0.25.3 cve-icon cve-icon
https://github.com/go-vela/server/releases/tag/v0.26.3 cve-icon cve-icon
https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact