Plattform
php
Komponente
tuleap
Behoben in
17.0.100
17.0.1
16.13.1
16.12.1
CVE-2025-64498 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap Enterprise Edition. This flaw allows an attacker to trick authenticated users into unknowingly making changes to tracker general settings within the Tuleap platform. The vulnerability impacts versions of Tuleap Enterprise Edition prior to 17.0-2, 16.13-7, and 16.12-10. A fix is available in versions 17.0-2, 16.13-7, and 16.12-10.
Successful exploitation of this CSRF vulnerability allows an attacker to manipulate Tuleap's tracker settings without the victim's knowledge or consent. This could lead to unauthorized modifications of tracking configurations, potentially impacting data integrity and operational workflows. An attacker could craft malicious links or embed requests within trusted websites to trigger these changes. The blast radius is limited to users with access to modify tracker settings within Tuleap, but the impact on those users can be significant, potentially disrupting tracking processes and introducing errors.
This vulnerability was publicly disclosed on 2025-12-08. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk level, suggesting that exploitation is possible but not highly probable without significant effort.
Organizations utilizing Tuleap Enterprise Edition for software development and collaboration are at risk. Specifically, teams responsible for managing and configuring Tuleap trackers, and users with permissions to modify tracker settings, are particularly vulnerable. Shared hosting environments where multiple users share a Tuleap instance may also amplify the risk.
• php: Examine Tuleap application logs for unusual POST requests originating from external domains. Look for patterns indicative of CSRF attacks, such as requests with unexpected parameters or actions. • generic web: Monitor access logs for requests to Tuleap endpoints that modify tracker settings, especially those originating from unfamiliar IP addresses. • generic web: Use a web application firewall (WAF) to detect and block CSRF attacks by inspecting HTTP headers and request parameters for suspicious patterns.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64498 is to upgrade Tuleap Enterprise Edition to version 17.0-2, 16.13-7, or 16.12-10. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding on all user-supplied data within Tuleap. Additionally, implement CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, to prevent unauthorized requests. Review and restrict access permissions to tracker settings to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger a tracker setting modification via a crafted CSRF request – it should be rejected.
Aktualisieren Sie Tuleap Community Edition auf Version 17.0.99.1762444754 oder höher. Wenn Sie Tuleap Enterprise Edition verwenden, aktualisieren Sie auf Version 17.0-2, 16.13-7 oder 16.12-10 oder eine spätere Version.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64498 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition, allowing attackers to modify tracker settings without user consent.
You are affected if you are running Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7, or 16.12-10.
Upgrade to Tuleap Enterprise Edition version 17.0-2, 16.13-7, or 16.12-10. Implement CSRF protection mechanisms as a temporary workaround.
There is no confirmed active exploitation of CVE-2025-64498 at this time, but the vulnerability is publicly known.
Refer to the official Tuleap security advisory for detailed information and updates regarding CVE-2025-64498.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.