Plattform
php
Komponente
tuleap
Behoben in
17.0.100
17.0.1
16.13.1
CVE-2025-64760 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source software development and collaboration suite. This flaw allows an attacker to manipulate Tuleap's tracker triggers, potentially leading to unauthorized actions within the system. The vulnerability impacts Tuleap Community Edition versions prior to 17.0.99.1763126988 and Tuleap Enterprise Edition versions prior to 17.0-3 and 16.13-8. A fix is available in the specified updated versions.
Successful exploitation of CVE-2025-64760 allows an attacker to craft malicious requests that, when triggered by a legitimate user, can result in the creation or deletion of tracker triggers within Tuleap. Tracker triggers are automated actions that occur when specific events happen within the system, such as sending notifications or updating fields. An attacker could leverage this to disrupt workflows, exfiltrate sensitive data (if triggers are configured to expose it), or even gain unauthorized access to other parts of the Tuleap system depending on trigger configurations. The blast radius is directly tied to the privileges associated with the affected tracker triggers and the data they interact with.
CVE-2025-64760 was publicly disclosed on December 8, 2025. There is no indication of this vulnerability being actively exploited at the time of publication. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the CSRF nature of the vulnerability means that exploitation is likely possible with relatively simple tooling.
Organizations heavily reliant on Tuleap for software development and collaboration are at risk. Specifically, deployments with complex tracker trigger configurations, or those that have not implemented robust security practices, are more vulnerable. Shared hosting environments running Tuleap are also at increased risk, as they may be more susceptible to cross-site scripting and CSRF attacks.
• php: Examine Tuleap application logs for requests with unusual origins or unexpected parameters. Look for POST requests to trigger creation/deletion endpoints without proper CSRF tokens.
grep -i 'csrf' /var/log/apache2/access.log | grep 'tuleap'• generic web: Use curl to test for CSRF vulnerabilities on Tuleap endpoints. Attempt to trigger actions without proper authentication or CSRF protection.
curl -v -X POST -d 'trigger_action=delete' https://tuleap.example.com/tracker/trigger/1• php: Check Tuleap configuration files for any insecure settings related to CSRF protection. Verify that CSRF tokens are properly generated and validated for all sensitive actions.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-64760 is to upgrade to a patched version of Tuleap. Upgrade Tuleap Community Edition to version 17.0.99.1763126988 or Tuleap Enterprise Edition to version 17.0-3 or 16.13-8. If a direct upgrade is not feasible due to compatibility issues, consider rolling back to a previous, known-good version of Tuleap before the vulnerability was introduced. While a direct fix is preferred, implementing strict Content Security Policy (CSP) headers can help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor Tuleap logs for suspicious activity, particularly requests originating from unexpected sources or with unusual parameters. There are no specific Sigma/YARA rules available for this particular vulnerability at this time.
Actualice Tuleap a la versión 17.0.99.1763126988 o superior para la Community Edition, o a la versión 17.0-3 o 16.13-8 o superior para la Enterprise Edition. Esto corregirá las vulnerabilidades CSRF en el sistema de gestión de disparadores del tracker.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64760 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap versions prior to 17.0.99.1763126988 and 17.0-3/16.13-8, allowing attackers to create/remove tracker triggers.
You are affected if you are running Tuleap Community Edition ≤17.0.99.1763126987 or Tuleap Enterprise Edition prior to 17.0-3 or 16.13-8.
Upgrade to Tuleap Community Edition 17.0.99.1763126988 or Tuleap Enterprise Edition 17.0-3 or 16.13-8. Consider CSP headers and log monitoring as additional security measures.
There is currently no evidence of active exploitation of CVE-2025-64760.
Refer to the official Tuleap security advisories on their website for the most up-to-date information and guidance.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.