Plateforme
php
Composant
tuleap
Corrigé dans
16.13.100
17.0.1
16.13.1
16.12.1
CVE-2025-64482 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap, an open-source suite for managing software development and collaboration. This flaw allows an attacker to potentially manipulate the commit rules or immutable tags of an SVN repository by tricking authenticated users. The vulnerability impacts Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9. The issue is resolved in Tuleap Enterprise Edition 17.0.1.
Successful exploitation of CVE-2025-64482 could allow an attacker to gain unauthorized control over an SVN repository within a Tuleap environment. This could involve modifying commit rules, effectively bypassing version control restrictions and potentially injecting malicious code into the codebase. The attacker could also alter immutable tags, disrupting the integrity and traceability of software releases. The blast radius extends to any users with access to the affected SVN repository, as they could be tricked into performing actions they did not intend. While no direct data exfiltration is described, the compromise of the repository could lead to further attacks and data breaches.
CVE-2025-64482 was publicly disclosed on 2025-11-12. There is no indication of this vulnerability being actively exploited at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the CSRF nature of the vulnerability means that exploitation is likely possible with moderate effort.
Organizations using Tuleap Enterprise Edition for software development and collaboration are at risk, particularly those relying on SVN for version control. Teams with shared hosting environments or those using legacy Tuleap configurations are especially vulnerable, as they may have less control over security settings and be slower to apply updates.
• php: Examine Tuleap application logs for suspicious requests originating from different IP addresses than the authenticated user's. Look for patterns indicating unauthorized modifications to SVN repository settings.
• generic web: Monitor access logs for requests to the file release system with unusual parameters or headers. Use curl to test for CSRF vulnerabilities by crafting malicious requests and observing the server's response.
curl -X POST -d "param=malicious_value" https://tuleap-server/file_release_endpointdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-64482 is to upgrade Tuleap Enterprise Edition to version 17.0.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to the file release system to trusted users only. Implement strict input validation and output encoding on all user-supplied data to reduce the attack surface. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. After upgrading, confirm the fix by attempting a CSRF attack on the file release system and verifying that the request is blocked.
Mettez à jour Tuleap Community Edition à la version 16.13.99.1762267347 ou supérieure. Pour Tuleap Enterprise Edition, mettez à jour vers la version 17.0-1, 16.13-6 ou 16.12-9 ou supérieure, selon la version que vous utilisez.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-64482 is a Cross-Site Request Forgery vulnerability in Tuleap Enterprise Edition allowing attackers to manipulate SVN repository settings through tricking authenticated users. It impacts versions ≤17.0-1.
If you are running Tuleap Enterprise Edition versions prior to 17.0.1, you are potentially affected by this CSRF vulnerability. Check your version and upgrade immediately.
Upgrade Tuleap Enterprise Edition to version 17.0.1 or later to resolve the CSRF vulnerability. Consider temporary workarounds like restricting access to the file release system if immediate upgrade is not possible.
There is currently no evidence of CVE-2025-64482 being actively exploited, but the CSRF nature of the vulnerability makes exploitation possible.
Refer to the official Tuleap security advisory for CVE-2025-64482 on the Tuleap website or security mailing list for the latest information and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.