CVE-2025-27616

Published Mar 10, 2025

Last updated 25 days ago

CVSS high 8.5

Overview

Description
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.5
Impact score
6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-290

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-27616 🔴 HIGH (8.6) 🏢 go-vela - server 🏗️ < 0.25.3 🔗 https://t.co/2Hsr2he8T3 🔗 https://t.co/ETHJsMJyVa 🔗 https://t.co/uBvxSiv8rk 🔗 https://t.co/Ls8SDBQ9gu 🔗 https://t.co/jOZmj7YAff #CyberCron #VulnAlert #InfoSec https://t.co/B5wfSndQAl

    @cybercronai

    12 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New post from https://t.co/uXvPWJy6tj (CVE-2025-27616 | go-vela server up to 0.25.2/0.26.2 authentication spoofing (GHSA-9m63-33q3-xq5x)) has been published on https://t.co/2UdFJjAPvu

    @WolfgangSesin

    10 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-27616 Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payl… https://t.co/rtKDcWMxSs

    @CVEnew

    10 Mar 2025

    334 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-27616: HIGH] Vela CI/CD framework prior to versions 0.25.3 and 0.26.3 was vulnerable to repository takeover via spoofing. Vulnerable users could have secrets exposed. Update to patched versions to secur...#cybersecurity,#vulnerability https://t.co/zOQlI5mOk5 https://t.c

    @CveFindCom

    10 Mar 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References