x/vulndb: potential Go vuln in github.com/go-vela/server: CVE-2025-27616

[GoVulnBot]

Advisory CVE-2025-27616 references a vulnerability in the following Go modules:

Module
github.com/go-vela/server

Description:
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform t...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-27616
• FIX: go-vela/server@257886e
• FIX: go-vela/server@67c1892
• WEB: https://github.com/go-vela/server/releases/tag/v0.25.3
• WEB: https://github.com/go-vela/server/releases/tag/v0.26.3
• WEB: GHSA-9m63-33q3-xq5x

Cross references:

• github.com/go-vela/server appears in 3 other report(s):
  • data/reports/GO-2022-0812.yaml (x/vulndb: potential Go vuln in github.com/go-vela/server/api: GHSA-8j3f-mhq8-gmh4 #812)
  • data/reports/GO-2022-1100.yaml (x/vulndb: potential Go vuln in github.com/go-vela/worker: GHSA-5m7g-pj8w-7593 #1100)
  • data/reports/GO-2024-2648.yaml (x/vulndb: potential Go vuln in github.com/go-vela/server: GHSA-69p4-j5v5-x234 #2648)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/go-vela/server
      vulnerable_at: 0.26.3
summary: CVE-2025-27616 in github.com/go-vela/server
cves:
    - CVE-2025-27616
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27616
    - fix: https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5
    - fix: https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b
    - web: https://github.com/go-vela/server/releases/tag/v0.25.3
    - web: https://github.com/go-vela/server/releases/tag/v0.26.3
    - web: https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x
source:
    id: CVE-2025-27616
    created: 2025-03-10T20:01:21.692692602Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/657255 mentions this issue: data/reports: add 7 reports