Platform
teamcity
Component
teamcity
Fixed in
2025.07
CVE-2025-54531 describes a Path Traversal vulnerability discovered in JetBrains TeamCity. This flaw allows attackers to potentially access arbitrary files on the server by manipulating the plugin unpacking process, specifically on Windows systems. Versions prior to 2025.07 are affected, and a patch is available in version 2025.07.
The core of this vulnerability lies in the way TeamCity handles plugin unpacking on Windows. An attacker could craft a malicious plugin that, when unpacked, allows them to navigate outside the intended plugin directory and access sensitive files on the server's file system. This could include configuration files containing credentials, build scripts with secrets, or even system files. Successful exploitation could lead to unauthorized access to sensitive data, code execution, and potentially complete compromise of the TeamCity server. While the vulnerability is specific to Windows, the potential impact is significant given TeamCity's role in many CI/CD pipelines.
This vulnerability was publicly disclosed on 2025-07-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the path traversal nature of the vulnerability suggests that a PoC could be developed relatively easily. The vulnerability's severity is rated HIGH (CVSS 7.7), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.00% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54531 is to upgrade TeamCity to version 2025.07 or later, which includes the fix. If an immediate upgrade is not feasible, consider temporarily restricting plugin installations to trusted sources only. Implement strict file system permissions to limit the impact of a potential exploit. Monitor TeamCity logs for any unusual plugin installation or unpacking activity. While a WAF is unlikely to directly mitigate this, it could help detect and block suspicious plugin uploads.
Actualice TeamCity a la versión 2025.07 o posterior. Esta actualización corrige la vulnerabilidad de path traversal durante el desempaquetado de plugins en Windows.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54531 is a Path Traversal vulnerability in JetBrains TeamCity versions 0–2025.07, allowing attackers to access files via plugin unpacking on Windows.
If you are running JetBrains TeamCity versions 0–2025.07 on a Windows server, you are potentially affected by this vulnerability.
Upgrade to JetBrains TeamCity version 2025.07 or later to remediate the vulnerability. Consider restricting plugin installations to trusted sources as a temporary measure.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the patch promptly.
Refer to the JetBrains security advisory for detailed information and updates: [https://www.jetbrains.com/security/announcements/cve-2025-54531/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.