Platform
teamcity
Component
teamcity
Fixed in
2025.11
CVE-2025-68163 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in JetBrains TeamCity. This vulnerability allows an attacker to inject malicious scripts that are then executed in the browsers of other users. The vulnerability affects TeamCity versions prior to 2025.11 and has been resolved with the release of version 2025.11.
Successful exploitation of this XSS vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of a user's TeamCity session. This could lead to various malicious actions, including stealing sensitive user data like credentials, session cookies, or other personally identifiable information. An attacker could also potentially redirect users to phishing sites or deface the TeamCity interface. The impact is amplified if the affected TeamCity instance manages critical build processes or contains sensitive project data.
This vulnerability was publicly disclosed on December 16, 2025. As of the current date, there are no publicly available proof-of-concept exploits. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68163 is to upgrade TeamCity to version 2025.11 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing strict input validation and output encoding on the agentpushInstall page to sanitize user-supplied data. While not a complete solution, this can reduce the attack surface. Review TeamCity's access control policies to ensure that only authorized users have access to sensitive areas of the application.
Update JetBrains TeamCity to version 2025.11 or later. This will resolve the stored XSS vulnerability on the agentpushInstall page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68163 is a stored XSS vulnerability affecting JetBrains TeamCity versions before 2025.11, allowing attackers to inject malicious scripts on the agentpushInstall page.
If you are using JetBrains TeamCity versions 0–2025.11, you are potentially affected by this vulnerability. Upgrade to 2025.11 or later to mitigate the risk.
The recommended fix is to upgrade to JetBrains TeamCity version 2025.11 or a later version. This includes the necessary security patch to address the XSS vulnerability.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-68163, but it is crucial to apply the patch proactively.
Please refer to the official JetBrains security advisory for CVE-2025-68163 on the JetBrains website: [https://www.jetbrains.com/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.