Plattform
php
Komponente
tuleap
Behoben in
16.13.100
16.13.1
16.12.1
CVE-2025-64117 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap Community Edition versions prior to 16.13.99.1761813675 and Tuleap Enterprise Edition versions prior to 16.13-5 and 16.12-8. This flaw allows an attacker to potentially manipulate SVN commit rules and immutable tags within a repository by deceiving authenticated users. The vulnerability has been resolved in Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8.
An attacker can exploit this CSRF vulnerability to gain unauthorized control over SVN repositories managed by Tuleap. By crafting malicious requests and tricking authenticated users into executing them, an attacker could modify commit rules, potentially allowing unauthorized code changes or bypassing security controls. They could also alter immutable tags, disrupting version control and potentially leading to data corruption or loss. The impact is particularly severe in environments where SVN is used for critical software development or deployment pipelines, as a successful attack could compromise the integrity of the entire codebase.
CVE-2025-64117 was published on 2025-11-12. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's impact relies on social engineering to trick users, which may lower the probability of exploitation compared to remote code execution vulnerabilities.
Organizations heavily reliant on Tuleap for software development and version control, particularly those using SVN for critical projects, are at risk. Environments with shared Tuleap instances or those lacking robust user awareness training are also more vulnerable to CSRF attacks.
• php: Examine Tuleap application logs for unusual requests related to SVN commit rule or immutable tag modifications. Look for requests originating from unexpected sources or with suspicious parameters.
grep -i 'svn commit rule|immutable tag' /var/log/tuleap/application.log• generic web: Monitor access logs for requests to SVN management endpoints with unusual HTTP referer headers. This can indicate a potential CSRF attempt.
curl -I <tuleap_url>/svn/management/endpoint | grep Refererdisclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64117 is to upgrade Tuleap to a patched version: 16.13.99.1761813675, 16.13-5, or 16.12-8. If an immediate upgrade is not feasible, consider implementing stricter access controls and input validation on SVN commit rule and immutable tag management interfaces. Implementing a Content Security Policy (CSP) with strict origin restrictions can also help mitigate CSRF attacks. Regularly review SVN commit logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger a CSRF request and verifying that it is blocked.
Aktualisieren Sie Tuleap Community Edition auf Version 16.13.99.1761813675 oder höher. Wenn Sie Tuleap Enterprise Edition verwenden, aktualisieren Sie auf Version 16.13-5 oder 16.12-8 oder eine spätere Version, je nach Bedarf. Dies behebt die CSRF-Schwachstelle bei der Verwaltung von SVN-Commit-Regeln und unveränderlichen Tags.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition versions less than or equal to 16.13-5, allowing attackers to manipulate SVN commit rules and immutable tags.
You are affected if you are running Tuleap Enterprise Edition versions prior to 16.13-5 or 16.12-8, or Tuleap Community Edition prior to 16.13.99.1761813675.
Upgrade to Tuleap Enterprise Edition version 16.13-5 or 16.12-8, or Tuleap Community Edition version 16.13.99.1761813675. Consider implementing stricter access controls as an interim measure.
There is currently no public information indicating that CVE-2025-64117 is being actively exploited.
Refer to the official Tuleap security advisory for detailed information and updates: [https://www.tuleap.org/security/advisories/](https://www.tuleap.org/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.