CVE-2025-29766
📋 TL;DR
CVE-2025-29766 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap that allows attackers to trick authenticated users into submitting or editing tracker artifacts and comments without their consent. This affects all Tuleap users with artifact submission/edit permissions. The vulnerability exists due to missing CSRF protections in tracker views.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate artifact data, create malicious artifacts, or modify existing artifacts to disrupt project management, inject malicious content, or alter project tracking data.
Likely Case
Unauthorized artifact modifications or submissions leading to data integrity issues, project confusion, or minor disruption of development workflows.
If Mitigated
With proper CSRF protections and user awareness, impact is minimal as legitimate requests would be validated and users would be alerted to suspicious activity.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into visiting malicious pages. The technical complexity of creating CSRF payloads is low.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.5.99.1741784483, Tuleap Enterprise Edition 16.5-3, and Tuleap Enterprise Edition 16.4-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-6p9q-p2q4-3rqx
Restart Required: Yes
Instructions:
1. Backup your Tuleap installation and database. 2. Update to the patched version using your distribution's package manager or Tuleap upgrade process. 3. Restart Tuleap services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement CSRF tokens manually
allAdd CSRF protection to tracker artifact submission and edit endpoints
Not applicable - requires code modification
Use SameSite cookie attribute
allConfigure session cookies with SameSite=Strict or SameSite=Lax to reduce CSRF risk
Modify Tuleap configuration to set session.cookie_samesite = 'Strict' in php.ini or Tuleap config
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attempts
- Educate users about CSRF risks and safe browsing practices, especially regarding clicking unknown links
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version and compare against patched versions. Review tracker endpoints for CSRF token validation.Check Version:
tuleap version (or check /etc/tuleap/VERSION file)Verify Fix Applied:
Verify Tuleap version is at or above patched versions. Test artifact submission/edit forms to confirm CSRF tokens are required.📡 Detection & Monitoring
Log Indicators:
- Multiple artifact submissions from same user in short timeframe
- Artifact edits without corresponding user interface interactions
Network Indicators:
- POST requests to tracker endpoints without Referer headers or CSRF tokens
- Requests from unexpected sources to artifact submission endpoints
SIEM Query:
source="tuleap" AND (url_path="/plugins/tracker/" AND method="POST") AND NOT (referer CONTAINS "tuleap")🔗 References
- https://github.com/Enalean/tuleap/commit/81f45330fdcc1329cc71eddf4d04b80c340b3b93
- https://github.com/Enalean/tuleap/security/advisories/GHSA-6p9q-p2q4-3rqx
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=81f45330fdcc1329cc71eddf4d04b80c340b3b93
- https://tuleap.net/plugins/tracker/?aid=42208
