Platform
php
Component
tuleap
Fixed in
17.0.100
17.0.1
16.13.1
CVE-2025-64760 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source software development and collaboration suite. This flaw allows an attacker to manipulate Tuleap's tracker triggers, potentially leading to unauthorized actions within the system. The vulnerability impacts Tuleap Community Edition versions prior to 17.0.99.1763126988 and Tuleap Enterprise Edition versions prior to 17.0-3 and 16.13-8. A fix is available in the specified updated versions.
Successful exploitation of CVE-2025-64760 allows an attacker to craft malicious requests that, when triggered by a legitimate user, can result in the creation or deletion of tracker triggers within Tuleap. Tracker triggers are automated actions that occur when specific events happen within the system, such as sending notifications or updating fields. An attacker could leverage this to disrupt workflows, exfiltrate sensitive data (if triggers are configured to expose it), or even gain unauthorized access to other parts of the Tuleap system depending on trigger configurations. The blast radius is directly tied to the privileges associated with the affected tracker triggers and the data they interact with.
CVE-2025-64760 was publicly disclosed on December 8, 2025. There is no indication of this vulnerability being actively exploited at the time of publication. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the CSRF nature of the vulnerability means that exploitation is likely possible with relatively simple tooling.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64760 is to upgrade to a patched version of Tuleap. Upgrade Tuleap Community Edition to version 17.0.99.1763126988 or Tuleap Enterprise Edition to version 17.0-3 or 16.13-8. If a direct upgrade is not feasible due to compatibility issues, consider rolling back to a previous, known-good version of Tuleap before the vulnerability was introduced. While a direct fix is preferred, implementing strict Content Security Policy (CSP) headers can help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Monitor Tuleap logs for suspicious activity, particularly requests originating from unexpected sources or with unusual parameters. There are no specific Sigma/YARA rules available for this particular vulnerability at this time.
Update Tuleap to version 17.0.99.1763126988 or later for the Community Edition, or to version 17.0-3 or 16.13-8 or later for the Enterprise Edition. This will correct the CSRF vulnerabilities in the tracker trigger management system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64760 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap versions prior to 17.0.99.1763126988 and 17.0-3/16.13-8, allowing attackers to create/remove tracker triggers.
You are affected if you are running Tuleap Community Edition ≤17.0.99.1763126987 or Tuleap Enterprise Edition prior to 17.0-3 or 16.13-8.
Upgrade to Tuleap Community Edition 17.0.99.1763126988 or Tuleap Enterprise Edition 17.0-3 or 16.13-8. Consider CSP headers and log monitoring as additional security measures.
There is currently no evidence of active exploitation of CVE-2025-64760.
Refer to the official Tuleap security advisories on their website for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.