CVE-2025-27616: Vela Server Has Insufficient Webhook Payload Data Verification
(updated )
Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit.
Any user with access to the CI instance and the linked source control manager can perform the exploit.
References
- github.com/advisories/GHSA-9m63-33q3-xq5x
- github.com/go-vela/server
- github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5
- github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b
- github.com/go-vela/server/releases/tag/v0.25.3
- github.com/go-vela/server/releases/tag/v0.26.3
- github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x
- nvd.nist.gov/vuln/detail/CVE-2025-27616
- pkg.go.dev/vuln/GO-2025-3509
Detect and mitigate CVE-2025-27616 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →