{
  "schema_version": "1.4.0",
  "id": "GHSA-9m63-33q3-xq5x",
  "modified": "2025-03-14T20:02:47Z",
  "published": "2025-03-10T22:24:35Z",
  "aliases": [
    "CVE-2025-27616"
  ],
  "summary": "Vela Server Has Insufficient Webhook Payload Data Verification",
  "details": "### Impact\nUsers with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. \n\nAny user with access to the CI instance and the linked source control manager can perform the exploit.\n\n### Method\nBy spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. \n\nThese secrets could be exfiltrated by follow up builds to the repository.\n\n### Patches\n`v0.26.3` — Image: `target/vela-server:v0.26.3`\n`v0.25.3` — Image: `target/vela-server:v0.25.3`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere are no workarounds to the issue.\n\n### References\n_Are there any links users can visit to find out more?_\n\nPlease see linked CWEs (common weakness enumerators) for more information.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/server"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.25.3"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/server"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0.26.0"
            },
            {
              "fixed": "0.26.3"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 0.26.2"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vela/server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/releases/tag/v0.25.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/releases/tag/v0.26.3"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3509"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-345"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T22:24:35Z",
    "nvd_published_at": "2025-03-10T19:15:41Z"
  }
}