Cyber Resilience

CVE-2025-27616

High

Published: 10 March 2025

Published
10 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 23.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27616 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-27616 is a vulnerability in Vela, a Pipeline Automation (CI/CD) framework built on Linux container technology and written in Golang. In versions prior to 0.25.3 and 0.26.3, attackers can spoof a webhook payload using a specific set of headers and body data to transfer ownership of a repository and its associated repository-level secrets to a separate repository. This issue is linked to CWE-290 (Authentication Bypass by Spoofing) and CWE-345 (Insufficient Verification of Data Authenticity), with a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Any user with access to the Vela CI instance and the linked source control manager can exploit this vulnerability against enabled repositories that have access to repository-level CI secrets. Successful exploitation allows the attacker to gain control of the target repository, enabling exfiltration of those secrets through subsequent builds triggered in the attacker-controlled repository.

The Vela security advisory (GHSA-9m63-33q3-xq5x) and corresponding patch commits confirm that upgrading to version 0.25.3 or 0.26.3 resolves the issue by addressing the webhook validation flaws. No known workarounds are available prior to applying these updates.

EU & UK References

Vulnerability details

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership…

more

of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing Vela CI/CD webhook handling allows spoofing to bypass auth and transfer repo ownership/secrets (T1190); directly facilitates access to and exfiltration of repository-level secrets (T1552).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27700Shared CWE-290, CWE-345
CVE-2026-39411Shared CWE-290, CWE-345
CVE-2024-55925Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2026-33131Shared CWE-290
CVE-2026-24372Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-2428Shared CWE-345
CVE-2026-24853Shared CWE-290
CVE-2026-35051Shared CWE-345

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates insufficient verification of webhook data authenticity by requiring validation of incoming payloads, headers, and body to block spoofed requests that enable repository ownership transfer.

prevent

Ensures the CI system authenticates webhooks from the source control service before processing, preventing authentication bypass via spoofed payloads.

prevent

Requires timely flaw remediation through upgrades to Vela versions 0.25.3 or 0.26.3, which patch the webhook validation flaws exploited in this CVE.

References