CVE-2025-29929
📋 TL;DR
This CSRF vulnerability in Tuleap allows attackers to trick authenticated users into unknowingly submitting or editing artifacts or follow-up comments by exploiting missing CSRF protection in tracker hierarchy administration. All Tuleap users with tracker administration privileges are affected. The vulnerability requires user interaction but no authentication from the attacker.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate tracker hierarchies to disrupt project workflows, inject malicious content into artifacts, or alter project tracking data across the entire Tuleap instance.
Likely Case
Targeted attacks against specific users to modify tracker configurations or artifact data, potentially causing data integrity issues or project disruption.
If Mitigated
With proper CSRF protections and user awareness, impact is limited to unsuccessful attack attempts with no data compromise.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into visiting malicious pages. No authentication required from attacker side.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tuleap Community Edition 16.5.99.1742306712, Tuleap Enterprise Edition 16.5-5, Tuleap Enterprise Edition 16.4-8
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-hqqr-p5f6-26vv
Restart Required: Yes
Instructions:
1. Backup your Tuleap instance. 2. Update to patched version using your distribution's package manager. 3. Restart Tuleap services. 4. Verify the fix by checking version and testing CSRF protection.
🔧 Temporary Workarounds
CSRF Token Validation
allImplement custom CSRF token validation for tracker hierarchy endpoints
Not applicable - requires code modification
SameSite Cookie Enforcement
allConfigure session cookies with SameSite=Strict attribute
Modify Tuleap configuration to set session.cookie_samesite = 'Strict'
🧯 If You Can't Patch
- Restrict tracker administration privileges to minimal necessary users
- Implement web application firewall rules to detect CSRF attack patterns
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version against affected versions. Review if CSRF tokens are validated on tracker hierarchy administration endpoints.Check Version:
tuleap info | grep 'Tuleap version' or check /etc/tuleap/VERSION fileVerify Fix Applied:
Verify version is patched and test that CSRF tokens are required for tracker hierarchy operations.📡 Detection & Monitoring
Log Indicators:
- Multiple failed tracker hierarchy modification attempts from same IP
- Tracker admin actions without proper referrer headers
Network Indicators:
- HTTP POST requests to tracker hierarchy endpoints without CSRF tokens
- Cross-origin requests to admin endpoints
SIEM Query:
source="tuleap" AND (uri_path="/plugins/tracker/admin/hierarchy" OR uri_path="/api/tracker_hierarchy") AND http_method="POST" AND NOT csrf_token=*🔗 References
- https://github.com/Enalean/tuleap/commit/dce61747f3a169da1f6b585ad5e6e0847fa3c950
- https://github.com/Enalean/tuleap/security/advisories/GHSA-hqqr-p5f6-26vv
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=dce61747f3a169da1f6b585ad5e6e0847fa3c950
- https://tuleap.net/plugins/tracker/?aid=42231
