CVE-2025-24459
📋 TL;DR
This vulnerability allows reflected cross-site scripting (XSS) attacks on the Vault Connection page in JetBrains TeamCity. Attackers can inject malicious scripts that execute in users' browsers when they visit a specially crafted URL. Organizations using vulnerable TeamCity instances are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers could steal session tokens or credentials from users who click malicious links, leading to unauthorized access to the TeamCity instance.
If Mitigated
With proper input validation and output encoding, the attack would fail, and users would only see sanitized content.
🎯 Exploit Status
Requires user interaction (clicking a malicious link) and authentication to access the Vault Connection page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.12.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance. 2. Download TeamCity 2024.12.1 or later from the JetBrains website. 3. Follow the official upgrade guide for your installation type. 4. Restart the TeamCity service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a web application firewall (WAF) or reverse proxy with XSS filtering rules to sanitize input to the Vault Connection page.
Access Restriction
allRestrict access to the Vault Connection page to only necessary users via network ACLs or authentication requirements.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Educate users about phishing risks and the danger of clicking untrusted links, especially those targeting the Vault Connection page.
🔍 How to Verify
Check if Vulnerable:
Check your TeamCity version via the web interface (Administration → Global Settings) or server logs. If version is below 2024.12.1, you are vulnerable.Check Version:
On Linux: cat /opt/teamcity/logs/teamcity-server.log | grep 'TeamCity' | head -1Verify Fix Applied:
After upgrading, confirm the version is 2024.12.1 or higher in the web interface and test the Vault Connection page with safe XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to /admin/vaultConnection.html with script tags or encoded payloads in parameters
- Multiple failed login attempts followed by access to vault connection page
Network Indicators:
- HTTP requests containing <script> tags or javascript: URIs targeting the vault connection endpoint
SIEM Query:
source="teamcity.log" AND (uri="/admin/vaultConnection.html" AND (query="*<script>*" OR query="*javascript:*"))