CVE-2025-27616
Published: 10 March 2025
Description
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Security Summary
CVE-2025-27616 is a vulnerability in Vela, a Pipeline Automation (CI/CD) framework built on Linux container technology and written in Golang. In versions prior to 0.25.3 and 0.26.3, attackers can spoof a webhook payload using a specific set of headers and body data to transfer ownership of a repository and its associated repository-level secrets to a separate repository. This issue is linked to CWE-290 (Authentication Bypass by Spoofing) and CWE-345 (Insufficient Verification of Data Authenticity), with a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Any user with access to the Vela CI instance and the linked source control manager can exploit this vulnerability against enabled repositories that have access to repository-level CI secrets. Successful exploitation allows the attacker to gain control of the target repository, enabling exfiltration of those secrets through subsequent builds triggered in the attacker-controlled repository.
The Vela security advisory (GHSA-9m63-33q3-xq5x) and corresponding patch commits confirm that upgrading to version 0.25.3 or 0.26.3 resolves the issue by addressing the webhook validation flaws. No known workarounds are available prior to applying these updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing Vela CI/CD webhook handling allows spoofing to bypass auth and transfer repo ownership/secrets (T1190); directly facilitates access to and exfiltration of repository-level secrets (T1552).