icon

We found results for “

CVE-2025-27616

Good to know:

icon

Date: March 10, 2025

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

Severity Score

Severity Score

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

Authentication Bypass by Spoofing

CWE-290

Top Fix

icon

Upgrade Version

Upgrade to version github.com/go-vela/server - v0.25.3;github.com/go-vela/server - v0.26.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us