CVE-2025-27616

EPSS 0.25%
Veröffentlicht 10.03.2025 18:56:14
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellergo-vela

≫

Produkt server

Version < 0.25.3

Status affected

Version >= 0.26.0, < 0.26.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.155

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x

https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5

https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b

https://github.com/go-vela/server/releases/tag/v0.25.3

https://github.com/go-vela/server/releases/tag/v0.26.3

https://nvd.nist.gov/vuln/detail/CVE-2025-27616

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27616

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27616

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-27616