8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27616

GHSA ID

GHSA-9m63-33q3-xq5x

EPSS Score

0.11711%

CWE

CWE-290

Published

3/10/2025

Updated

3/14/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27616

CVE-2025-27616:
Vela Server Has Insufficient Webhook Payload Data Verification

Impact

Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit.

Any user with access to the CI instance and the linked source control manager can perform the exploit.

Method

By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository.

These secrets could be exfiltrated by follow up builds to the repository.

Patches

v0.26.3 — Image: target/vela-server:v0.26.3 v0.25.3 — Image: target/vela-server:v0.25.3

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There are no workarounds to the issue.

References

Are there any links users can visit to find out more?

Please see linked CWEs (common weakness enumerators) for more information.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27616

GHSA ID

GHSA-9m63-33q3-xq5x

EPSS Score

0.11711%

CWE

CWE-290

Published

3/10/2025

Updated

3/14/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/go-vela/server	go	< 0.25.3	0.25.3
github.com/go-vela/server	go	>= 0.26.0, <= 0.26.2	0.26.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation in webhook processing. Key issues include:

The PostWebhook function initially lacked proper webhook signature verification using stored repo secrets (added in patch 67c1892)
Repository event handling trusted payload data over database state, enabling spoofed ownership transfers
CORS misconfigurations (patched in 257886e) could facilitate cross-origin attacks, though the primary vulnerability was in webhook auth
The processRepositoryEvent function didn't validate payload completeness, risking nil pointer exploitation Patch commits show critical security checks were added to webhook validation flows and repository data handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* *n *n**l** r*pository wit* ****ss to r*po l*v*l *I s**r*ts in V*l* *r* vuln*r**l* to t** *xploit. *ny us*r wit* ****ss to t** *I inst*n** *n* t** link** sour** *ontrol m*n***r **n p*r*orm t** *xploit. ### M*t*o* *y spoo*in* *

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion in w***ook pro**ssin*. K*y issu*s in*lu**: *. T** PostW***ook *un*tion initi*lly l**k** prop*r w***ook si*n*tur* v*ri*i**tion usin* stor** r*po s**r*ts (***** in p*t** *******) *. R*pository *v*nt

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-27616: Vela Server Has Insufficient Webhook Payload Data Verification

Impact

Method

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-27616:
Vela Server Has Insufficient Webhook Payload Data Verification

Vulnerability Intelligence
Miggo AI