Plattform
php
Komponente
tuleap
Behoben in
17.0.100
17.0.1
16.13.1
CVE-2025-65962 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source suite for software development and collaboration. This flaw allows attackers to manipulate tracker fields within Tuleap, potentially leading to unauthorized modifications of data. The vulnerability impacts Tuleap Community Edition versions prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9. A fix is available in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9.
Successful exploitation of CVE-2025-65962 allows an attacker to forge requests on behalf of an authenticated user, enabling them to modify tracker fields within the Tuleap system. This could involve altering task assignments, changing issue priorities, or manipulating other critical data elements. The impact is directly proportional to the privileges of the user whose session is hijacked. An attacker could potentially gain unauthorized access to sensitive information or disrupt workflows by maliciously altering data. While the vulnerability is classified as CSRF, the potential for data manipulation within a collaborative development environment makes it a significant concern.
CVE-2025-65962 was publicly disclosed on December 8, 2025. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.6 indicates a Medium severity, suggesting a moderate probability of exploitation if a suitable attack vector is discovered.
Organizations utilizing Tuleap Enterprise Edition in collaborative software development environments are at risk. Specifically, deployments with shared user accounts or those lacking robust access controls are more vulnerable. Legacy Tuleap installations running versions prior to 16.13-9 are particularly exposed.
• php: Examine Tuleap application logs for suspicious requests originating from unexpected origins. Look for POST requests to tracker field update endpoints with unusual referer headers.
grep -i 'referer: .*tuleap.*' /var/log/apache2/access.log• generic web: Check for unusual tracker field modifications in Tuleap. Monitor user activity for unexpected changes to task assignments or issue priorities. • generic web: Review Tuleap's Content Security Policy (CSP) configuration. Ensure it restricts resource loading to trusted origins to mitigate CSRF attacks.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-65962 is to upgrade Tuleap to a patched version. Upgrade to either Tuleap Community Edition version 17.0.99.1763803709 or Tuleap Enterprise Edition versions 17.0-4 or 16.13-9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as enforcing strict content security policies (CSP) to restrict the origins from which Tuleap can load resources. Additionally, review and strengthen user authentication practices, including multi-factor authentication (MFA), to reduce the risk of session hijacking. After upgrade, confirm the fix by attempting a CSRF attack on a tracker field and verifying that the request is rejected.
Aktualisieren Sie Tuleap Community Edition auf Version 17.0.99.1763803709 oder höher. Wenn Sie Tuleap Enterprise Edition verwenden, aktualisieren Sie auf Version 17.0-4 oder 16.13-9 oder höher, je nach Bedarf. Dies behebt die CSRF-Schwachstelle in den Tracker-Feld-Abhängigkeiten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-65962 is a CSRF vulnerability in Tuleap Enterprise Edition allowing attackers to modify tracker fields. It affects versions ≤ 16.13-9 and has a Medium severity (CVSS 4.6).
You are affected if you are running Tuleap Enterprise Edition versions prior to 17.0-4 or 16.13-9. Check your version and upgrade accordingly.
Upgrade to Tuleap Enterprise Edition version 17.0-4 or 16.13-9. Consider implementing CSP as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns for CVE-2025-65962.
Refer to the official Tuleap security advisories on their website for detailed information and updates regarding CVE-2025-65962.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.