CVE-2025-27616
Published: 10 March 2025
Summary
CVE-2025-27616 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-27616 is a vulnerability in Vela, a Pipeline Automation (CI/CD) framework built on Linux container technology and written in Golang. In versions prior to 0.25.3 and 0.26.3, attackers can spoof a webhook payload using a specific set of headers and body data to transfer ownership of a repository and its associated repository-level secrets to a separate repository. This issue is linked to CWE-290 (Authentication Bypass by Spoofing) and CWE-345 (Insufficient Verification of Data Authenticity), with a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Any user with access to the Vela CI instance and the linked source control manager can exploit this vulnerability against enabled repositories that have access to repository-level CI secrets. Successful exploitation allows the attacker to gain control of the target repository, enabling exfiltration of those secrets through subsequent builds triggered in the attacker-controlled repository.
The Vela security advisory (GHSA-9m63-33q3-xq5x) and corresponding patch commits confirm that upgrading to version 0.25.3 or 0.26.3 resolves the issue by addressing the webhook validation flaws. No known workarounds are available prior to applying these updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7802
Vulnerability details
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership…
more
of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Vela CI/CD webhook handling allows spoofing to bypass auth and transfer repo ownership/secrets (T1190); directly facilitates access to and exfiltration of repository-level secrets (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates insufficient verification of webhook data authenticity by requiring validation of incoming payloads, headers, and body to block spoofed requests that enable repository ownership transfer.
Ensures the CI system authenticates webhooks from the source control service before processing, preventing authentication bypass via spoofed payloads.
Requires timely flaw remediation through upgrades to Vela versions 0.25.3 or 0.26.3, which patch the webhook validation flaws exploited in this CVE.