Platform
teamcity
Component
teamcity
Fixed in
2025.07
CVE-2025-54529 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in JetBrains TeamCity. This flaw allows an attacker to potentially trigger unauthorized actions within the external OAuth login integration process. The vulnerability affects TeamCity versions prior to 2025.07, and a patch is available in version 2025.07.
The CSRF vulnerability in TeamCity allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is authenticated and visits a crafted URL, the attacker can potentially trigger actions within the OAuth login flow without the user's knowledge or consent. This could lead to account takeover, unauthorized data access, or other malicious activities depending on the permissions associated with the OAuth integration. The impact is considered low due to the requirement of user interaction and the specific context of the OAuth login flow.
This vulnerability was publicly disclosed on 2025-07-28. No known public proof-of-concept exploits are currently available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The low CVSS score suggests a relatively low probability of exploitation, but organizations should still prioritize patching to eliminate the risk.
Exploit Status
EPSS
0.00% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54529 is to upgrade TeamCity to version 2025.07 or later, which includes the fix. If upgrading immediately is not feasible, consider implementing stricter input validation and output encoding within the OAuth integration to reduce the attack surface. Review and restrict OAuth scopes granted to third-party applications to minimize potential damage. Implement CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, within the OAuth login process as a temporary workaround. After upgrading, confirm the fix by attempting a CSRF attack on the OAuth login endpoint and verifying that the request is rejected.
Update TeamCity to version 2025.07 or later. This will correct the CSRF vulnerability in the external OAuth login integration. See the JetBrains website for instructions on how to update TeamCity.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54529 is a Cross-Site Request Forgery (CSRF) vulnerability affecting JetBrains TeamCity versions before 2025.07, allowing attackers to trigger unauthorized actions within the OAuth login flow.
If you are using JetBrains TeamCity versions 0–2025.07 and have external OAuth login integrations enabled, you are potentially affected by this vulnerability.
Upgrade JetBrains TeamCity to version 2025.07 or later to remediate the vulnerability. Consider temporary workarounds like stricter input validation if immediate upgrade is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but organizations should still prioritize patching to mitigate the risk.
Refer to the official JetBrains security advisory for CVE-2025-54529 on the JetBrains website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.