Platform
php
Component
tuleap
Fixed in
17.0.100
17.0.1
16.13.1
16.12.1
CVE-2025-64498 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap Enterprise Edition. This flaw allows an attacker to trick authenticated users into unknowingly making changes to tracker general settings within the Tuleap platform. The vulnerability impacts versions of Tuleap Enterprise Edition prior to 17.0-2, 16.13-7, and 16.12-10. A fix is available in versions 17.0-2, 16.13-7, and 16.12-10.
Successful exploitation of this CSRF vulnerability allows an attacker to manipulate Tuleap's tracker settings without the victim's knowledge or consent. This could lead to unauthorized modifications of tracking configurations, potentially impacting data integrity and operational workflows. An attacker could craft malicious links or embed requests within trusted websites to trigger these changes. The blast radius is limited to users with access to modify tracker settings within Tuleap, but the impact on those users can be significant, potentially disrupting tracking processes and introducing errors.
This vulnerability was publicly disclosed on 2025-12-08. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk level, suggesting that exploitation is possible but not highly probable without significant effort.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64498 is to upgrade Tuleap Enterprise Edition to version 17.0-2, 16.13-7, or 16.12-10. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding on all user-supplied data within Tuleap. Additionally, implement CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, to prevent unauthorized requests. Review and restrict access permissions to tracker settings to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to trigger a tracker setting modification via a crafted CSRF request – it should be rejected.
Update Tuleap Community Edition to version 17.0.99.1762444754 or later. If you are using Tuleap Enterprise Edition, update to version 17.0-2, 16.13-7 or 16.12-10, or a later version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64498 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition, allowing attackers to modify tracker settings without user consent.
You are affected if you are running Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7, or 16.12-10.
Upgrade to Tuleap Enterprise Edition version 17.0-2, 16.13-7, or 16.12-10. Implement CSRF protection mechanisms as a temporary workaround.
There is no confirmed active exploitation of CVE-2025-64498 at this time, but the vulnerability is publicly known.
Refer to the official Tuleap security advisory for detailed information and updates regarding CVE-2025-64498.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.