CVE-2025-27401
📋 TL;DR
This vulnerability in Tuleap allows authenticated users with access to any tracker to delete all criteria filters across all reports by repeatedly creating and deleting reports. This affects all Tuleap instances running vulnerable versions, potentially forcing administrators and users to recreate all filter configurations.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
All criteria filters across all reports are permanently deleted, requiring manual recreation and causing significant disruption to workflow and reporting capabilities.
Likely Case
Targeted deletion of specific filters or widespread filter loss requiring administrative intervention to restore functionality.
If Mitigated
Limited to data loss in specific trackers with minimal operational impact if backups are available.
🎯 Exploit Status
Exploitation requires authenticated access but is simple to execute through normal user interface actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.4.99.1740498975, Tuleap Enterprise Edition 16.4-6, or 16.3-11
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-3rjf-87rf-h8m9
Restart Required: Yes
Instructions:
1. Backup your Tuleap instance. 2. Update to patched version using your distribution's package manager. 3. Restart Tuleap services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict Tracker Access
allLimit tracker creation and deletion permissions to trusted administrators only.
Implement Rate Limiting
allConfigure web application firewall or reverse proxy to limit report creation/deletion requests per user.
🧯 If You Can't Patch
- Implement strict access controls to limit tracker permissions to essential personnel only
- Enable comprehensive logging and monitoring for report creation/deletion activities
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version against affected versions. If running vulnerable version and users have tracker access, instance is vulnerable.Check Version:
tuleap info | grep 'Tuleap version' or check web interface administration panelVerify Fix Applied:
Confirm version is patched (16.4.99.1740498975 or later for Community Edition, 16.4-6/16.3-11 or later for Enterprise Edition).📡 Detection & Monitoring
Log Indicators:
- Multiple rapid report creation and deletion events from single user
- Unusual filter deletion patterns across multiple reports
Network Indicators:
- High frequency of POST requests to report creation/deletion endpoints
SIEM Query:
source="tuleap" AND (event="report_created" OR event="report_deleted") | stats count by user | where count > threshold