ghsa-9m63-33q3-xq5x
Vulnerability from github
Published
2025-03-10 22:24
Modified
2025-03-14 20:02
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Vela Server Has Insufficient Webhook Payload Data Verification
Details

Impact

Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit.

Any user with access to the CI instance and the linked source control manager can perform the exploit.

Method

By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository.

These secrets could be exfiltrated by follow up builds to the repository.

Patches

v0.26.3 — Image: target/vela-server:v0.26.3 v0.25.3 — Image: target/vela-server:v0.25.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There are no workarounds to the issue.

References

Are there any links users can visit to find out more?

Please see linked CWEs (common weakness enumerators) for more information.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.25.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.26.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.26.0"
            },
            {
              "fixed": "0.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T22:24:35Z",
    "nvd_published_at": "2025-03-10T19:15:41Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nUsers with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. \n\nAny user with access to the CI instance and the linked source control manager can perform the exploit.\n\n### Method\nBy spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. \n\nThese secrets could be exfiltrated by follow up builds to the repository.\n\n### Patches\n`v0.26.3` \u2014 Image: `target/vela-server:v0.26.3`\n`v0.25.3` \u2014 Image: `target/vela-server:v0.25.3`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere are no workarounds to the issue.\n\n### References\n_Are there any links users can visit to find out more?_\n\nPlease see linked CWEs (common weakness enumerators) for more information.",
  "id": "GHSA-9m63-33q3-xq5x",
  "modified": "2025-03-14T20:02:47Z",
  "published": "2025-03-10T22:24:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vela/server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/releases/tag/v0.25.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/releases/tag/v0.26.3"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vela Server Has Insufficient Webhook Payload Data Verification"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.