CVE-2025-47851
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts via GitHub Checks Webhooks. When exploited, these scripts execute in the context of other users' browsers, potentially stealing session cookies or performing unauthorized actions. Organizations using TeamCity with GitHub integration are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the TeamCity instance, deploy malicious builds, or access sensitive CI/CD secrets and source code.
Likely Case
Session hijacking of regular users, defacement of TeamCity interface, or limited data exfiltration from user browsers.
If Mitigated
Minimal impact if proper content security policies and input validation are already implemented.
🎯 Exploit Status
Exploitation requires ability to send crafted GitHub webhook payloads to TeamCity. Attackers need access to GitHub repository webhook configuration or ability to intercept/modify webhook traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.03.2 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and database. 2. Download TeamCity 2025.03.2 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the update following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify version in Administration → Server Administration.
🔧 Temporary Workarounds
Disable GitHub Checks Webhooks
allTemporarily disable GitHub Checks webhook integration if not required
Navigate to Administration → Integrations → GitHub, disable Checks webhook functionality
Implement WAF Rules
allAdd web application firewall rules to block XSS payloads in webhook requests
Add WAF rules to filter script tags and JavaScript in POST requests to /app/rest/webhooks/github
🧯 If You Can't Patch
- Restrict GitHub webhook source IPs to GitHub's official IP ranges only
- Implement strict Content Security Policy headers for TeamCity interface
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration. If version is below 2025.03.2 and GitHub integration is enabled, system is vulnerable.Check Version:
On TeamCity server: cat /opt/teamcity/version.txt or check via web interfaceVerify Fix Applied:
Verify version is 2025.03.2 or higher in Administration → Server Administration. Test GitHub webhook functionality with safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual webhook payloads containing script tags or JavaScript in TeamCity logs
- Multiple failed webhook attempts with malformed data
Network Indicators:
- POST requests to /app/rest/webhooks/github containing script tags or JavaScript patterns
SIEM Query:
source="teamcity" AND ("script" OR "javascript" OR "onload=" OR "onerror=") AND uri_path="/app/rest/webhooks/github"