Scan free
LOWCVE-2025-68163CVSS 3.5

CVE-2025-68163: XSS in JetBrains TeamCity

Platform

teamcity

Component

teamcity

Fixed in

2025.11

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-68163 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in JetBrains TeamCity. This vulnerability allows an attacker to inject malicious scripts that are then executed in the browsers of other users. The vulnerability affects TeamCity versions prior to 2025.11 and has been resolved with the release of version 2025.11.

Impact and Attack Scenarios

Successful exploitation of this XSS vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of a user's TeamCity session. This could lead to various malicious actions, including stealing sensitive user data like credentials, session cookies, or other personally identifiable information. An attacker could also potentially redirect users to phishing sites or deface the TeamCity interface. The impact is amplified if the affected TeamCity instance manages critical build processes or contains sensitive project data.

Exploitation Context

This vulnerability was publicly disclosed on December 16, 2025. As of the current date, there are no publicly available proof-of-concept exploits. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (1% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentteamcity
VendorJetBrains
Affected rangeFixed in
0 – 2025.112025.11

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-68163 is to upgrade TeamCity to version 2025.11 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing strict input validation and output encoding on the agentpushInstall page to sanitize user-supplied data. While not a complete solution, this can reduce the attack surface. Review TeamCity's access control policies to ensure that only authorized users have access to sensitive areas of the application.

How to fix

Update JetBrains TeamCity to version 2025.11 or later. This will resolve the stored XSS vulnerability on the agentpushInstall page.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-68163 — XSS in JetBrains TeamCity?

CVE-2025-68163 is a stored XSS vulnerability affecting JetBrains TeamCity versions before 2025.11, allowing attackers to inject malicious scripts on the agentpushInstall page.

Am I affected by CVE-2025-68163 in JetBrains TeamCity?

If you are using JetBrains TeamCity versions 0–2025.11, you are potentially affected by this vulnerability. Upgrade to 2025.11 or later to mitigate the risk.

How do I fix CVE-2025-68163 in JetBrains TeamCity?

The recommended fix is to upgrade to JetBrains TeamCity version 2025.11 or a later version. This includes the necessary security patch to address the XSS vulnerability.

Is CVE-2025-68163 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation of CVE-2025-68163, but it is crucial to apply the patch proactively.

Where can I find the official JetBrains advisory for CVE-2025-68163?

Please refer to the official JetBrains security advisory for CVE-2025-68163 on the JetBrains website: [https://www.jetbrains.com/security/advisories/]

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs