Plateforme
php
Composant
tuleap
Corrigé dans
17.0.100
17.0.1
16.13.1
16.12.1
CVE-2025-64499 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, a free and open-source suite for software development and collaboration management. This vulnerability allows attackers to manipulate the planning management API, potentially leading to unauthorized creation, modification, or deletion of plans. The vulnerability impacts Tuleap Enterprise Edition versions prior to 16.13-7, as well as Community Edition versions before 17.0.99.1762456922. A fix is available in Tuleap Enterprise Edition versions 16.13.1, 16.12-10, and 17.0-2.
Successful exploitation of CVE-2025-64499 allows an attacker to execute arbitrary actions within the Tuleap environment through a victim's authenticated session. Specifically, they can create, edit, or delete plans, potentially disrupting workflows, introducing malicious configurations, or gaining unauthorized access to sensitive data related to software development and collaboration. The blast radius extends to any user with access to the planning management API, and a compromised plan could impact multiple projects and teams. While the vulnerability doesn't directly lead to system compromise, it can be a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations.
CVE-2025-64499 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of CSRF exploitation means that this vulnerability could be targeted by opportunistic attackers. The vulnerability was publicly disclosed on 2025-12-08.
Organizations heavily reliant on Tuleap for software development and collaboration management are at risk, particularly those running older versions of Tuleap Enterprise Edition. Shared hosting environments where multiple users share the same Tuleap instance are also at increased risk, as a compromised user account could be used to exploit the vulnerability and impact other users.
• php: Examine Tuleap application logs for suspicious requests related to the planning management API, particularly those originating from unexpected IP addresses or user agents.
grep -i 'planning management api' /var/log/apache2/access.log• generic web: Monitor Tuleap's web application firewall (WAF) logs for CSRF attack patterns, such as requests with unexpected referer headers or unusual request parameters. • generic web: Check response headers for the presence of CSRF protection tokens. Absence of these tokens could indicate a misconfiguration or lack of protection. • generic web: Use a web proxy to intercept and analyze HTTP requests to the planning management API, looking for suspicious parameters or actions.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-64499 is to upgrade Tuleap Enterprise Edition to version 16.13.1 or later, or to version 16.12-10 or 17.0-2. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding on the planning management API to reduce the attack surface. Implementing CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, can also help mitigate the risk. Review and restrict access to the planning management API to only authorized users. After upgrading, confirm the fix by attempting to trigger a plan creation/modification request from a separate browser session without valid credentials; the request should be rejected.
Mettez à jour Tuleap Community Edition vers la version 17.0.99.1762456922 ou supérieure. Pour Tuleap Enterprise Edition, mettez à jour vers la version 17.0-2, 16.13-7, 16.12-10 ou supérieure, selon la version actuelle. Cela corrigera la vulnérabilité CSRF dans l'API de gestion de planification.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-64499 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition versions prior to 16.13-7, allowing attackers to manipulate the planning management API.
You are affected if you are running Tuleap Enterprise Edition versions prior to 16.13-7, 16.12-10, or 17.0-2.
Upgrade to Tuleap Enterprise Edition version 16.13.1 or later, or to version 16.12-10 or 17.0-2. Consider implementing CSRF protection mechanisms as an interim measure.
While there are no widespread reports of active exploitation, the ease of CSRF exploitation means it could be targeted by opportunistic attackers.
Refer to the official Tuleap security advisories on their website for the most up-to-date information and guidance.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.