プラットフォーム
php
コンポーネント
tuleap
修正版
16.13.100
16.13.1
16.12.1
CVE-2025-64117 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap Community Edition versions prior to 16.13.99.1761813675 and Tuleap Enterprise Edition versions prior to 16.13-5 and 16.12-8. This flaw allows an attacker to potentially manipulate SVN commit rules and immutable tags within a repository by deceiving authenticated users. The vulnerability has been resolved in Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8.
An attacker can exploit this CSRF vulnerability to gain unauthorized control over SVN repositories managed by Tuleap. By crafting malicious requests and tricking authenticated users into executing them, an attacker could modify commit rules, potentially allowing unauthorized code changes or bypassing security controls. They could also alter immutable tags, disrupting version control and potentially leading to data corruption or loss. The impact is particularly severe in environments where SVN is used for critical software development or deployment pipelines, as a successful attack could compromise the integrity of the entire codebase.
CVE-2025-64117 was published on 2025-11-12. There is no indication of active exploitation or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's impact relies on social engineering to trick users, which may lower the probability of exploitation compared to remote code execution vulnerabilities.
Organizations heavily reliant on Tuleap for software development and version control, particularly those using SVN for critical projects, are at risk. Environments with shared Tuleap instances or those lacking robust user awareness training are also more vulnerable to CSRF attacks.
• php: Examine Tuleap application logs for unusual requests related to SVN commit rule or immutable tag modifications. Look for requests originating from unexpected sources or with suspicious parameters.
grep -i 'svn commit rule|immutable tag' /var/log/tuleap/application.log• generic web: Monitor access logs for requests to SVN management endpoints with unusual HTTP referer headers. This can indicate a potential CSRF attempt.
curl -I <tuleap_url>/svn/management/endpoint | grep Refererdisclosure
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-64117 is to upgrade Tuleap to a patched version: 16.13.99.1761813675, 16.13-5, or 16.12-8. If an immediate upgrade is not feasible, consider implementing stricter access controls and input validation on SVN commit rule and immutable tag management interfaces. Implementing a Content Security Policy (CSP) with strict origin restrictions can also help mitigate CSRF attacks. Regularly review SVN commit logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger a CSRF request and verifying that it is blocked.
Tuleap Community Edition をバージョン 16.13.99.1761813675 以降にアップデートしてください。Tuleap Enterprise Edition を使用している場合は、バージョン 16.13-5 または 16.12-8、またはそれ以降のバージョンにアップデートしてください。これにより、SVN commit ルールおよびイミュータブルタグの管理における CSRF 脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap Enterprise Edition versions less than or equal to 16.13-5, allowing attackers to manipulate SVN commit rules and immutable tags.
You are affected if you are running Tuleap Enterprise Edition versions prior to 16.13-5 or 16.12-8, or Tuleap Community Edition prior to 16.13.99.1761813675.
Upgrade to Tuleap Enterprise Edition version 16.13-5 or 16.12-8, or Tuleap Community Edition version 16.13.99.1761813675. Consider implementing stricter access controls as an interim measure.
There is currently no public information indicating that CVE-2025-64117 is being actively exploited.
Refer to the official Tuleap security advisory for detailed information and updates: [https://www.tuleap.org/security/advisories/](https://www.tuleap.org/security/advisories/)