CVE-2025-27616 — Vulnetix

CVE-2025-27616 PUBLISHED CVSS 8.600000381469727 HIGH

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

EPSS 0.08% · 23.6th percentile

Risk Scores

CVSS 3.1

8.600000381469727

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.08%

23.6th percentile

Affected Products

Vendor	Product	Versions
go-vela	server	*, < 0.25.3, >= 0.26.0, < 0.26.3
github.com	go-vela/server	0, 0.26.0, 0

Exploit Intelligence

CIRCL seen: CVE-2025-27616 (circl-sighting)
CIRCL seen: CVE-2025-27616 (circl-sighting)
CIRCL published-proof-of-concept: CVE-2025-27616 (circl-sighting)
https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x (circl)
https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5 (circl)
https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b (circl)
https://github.com/go-vela/server/releases/tag/v0.25.3 (circl)
https://github.com/go-vela/server/releases/tag/v0.26.3 (circl)

Timeline

Jan 21, 1970 Security Advisory
Mar 10, 2025 CVE Published
Mar 10, 2025 PoC Published
Mar 10, 2025 PoC Published
Mar 10, 2025 PoC Published
Mar 11, 2025 EPSS Score
Mar 14, 2025 CVE Updated
Mar 25, 2025 EPSS Score
Mar 25, 2025 Coalition ESS Score
Apr 7, 2025 EPSS Score
Apr 21, 2025 EPSS Score
May 4, 2025 EPSS Score

References

Open in Interactive Console →