Platform
php
Component
tuleap
Fixed in
16.13.100
16.13.1
16.12.1
CVE-2025-64117 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap Community Edition versions prior to 16.13.99.1761813675 and Tuleap Enterprise Edition versions prior to 16.13-5 and 16.12-8. This flaw allows an attacker to potentially manipulate SVN commit rules and immutable tags within a repository by deceiving authenticated users. The vulnerability has been resolved in Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8.
An attacker can exploit this CSRF vulnerability to gain unauthorized control over SVN repositories managed by Tuleap. By crafting malicious requests and tricking authenticated users into executing them, an attacker could modify commit rules, potentially allowing unauthorized code changes or bypassing security controls. They could also alter immutable tags, disrupting version control and potentially leading to data corruption or loss. The impact is particularly severe in environments where SVN is used for critical software development or deployment pipelines, as a successful attack could compromise the integrity of the entire codebase.
CVE-2025-64117 was published on 2025-11-12. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's impact relies on social engineering to trick users, which may lower the probability of exploitation compared to remote code execution vulnerabilities.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64117 is to upgrade Tuleap to a patched version: 16.13.99.1761813675, 16.13-5, or 16.12-8. If an immediate upgrade is not feasible, consider implementing stricter access controls and input validation on SVN commit rule and immutable tag management interfaces. Implementing a Content Security Policy (CSP) with strict origin restrictions can also help mitigate CSRF attacks. Regularly review SVN commit logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger a CSRF request and verifying that it is blocked.
Update Tuleap Community Edition to version 16.13.99.1761813675 or later. If you are using Tuleap Enterprise Edition, update to version 16.13-5 or 16.12-8, or a later version as appropriate. This will resolve the CSRF vulnerability in the management of SVN commit rules and immutable tags.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition versions less than or equal to 16.13-5, allowing attackers to manipulate SVN commit rules and immutable tags.
You are affected if you are running Tuleap Enterprise Edition versions prior to 16.13-5 or 16.12-8, or Tuleap Community Edition prior to 16.13.99.1761813675.
Upgrade to Tuleap Enterprise Edition version 16.13-5 or 16.12-8, or Tuleap Community Edition version 16.13.99.1761813675. Consider implementing stricter access controls as an interim measure.
There is currently no public information indicating that CVE-2025-64117 is being actively exploited.
Refer to the official Tuleap security advisory for detailed information and updates: [https://www.tuleap.org/security/advisories/](https://www.tuleap.org/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.