CVE-2025-52876 – This vulnerability allows reflected cross-site ... (How to Fix)

Q: What is the severity of CVE-2025-52876?

CVE-2025-52876 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows reflected cross-site scripting (XSS) attacks on the favoriteIcon page in JetBrains TeamCity. Attackers can inject malicious scripts that execute in users' browsers when they visit a specially crafted URL. This affects all TeamCity administrators and users who access the vulnerable page.

📋 TL;DR

This vulnerability allows reflected cross-site scripting (XSS) attacks on the favoriteIcon page in JetBrains TeamCity. Attackers can inject malicious scripts that execute in users' browsers when they visit a specially crafted URL. This affects all TeamCity administrators and users who access the vulnerable page.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2025.03.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the favoriteIcon page functionality and affects all default installations.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full account compromise.

🟠

Likely Case

Attackers could steal session tokens or perform limited actions in the context of the victim's session, but full system compromise is unlikely without additional vulnerabilities.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to minor UI manipulation or information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) and authentication to TeamCity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.03.3 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup your TeamCity installation and database. 2. Download TeamCity 2025.03.3 or later from the JetBrains website. 3. Follow the official upgrade guide for your deployment method (Windows/Linux/Docker). 4. Restart the TeamCity service after installation.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement a web application firewall or reverse proxy rule to filter malicious input targeting the favoriteIcon endpoint.

🧯 If You Can't Patch

Restrict access to TeamCity to trusted networks only using firewall rules.
Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check your TeamCity version in the administration interface under 'Administration > Global Settings'.

Check Version:

On TeamCity server: cat /opt/teamcity/version.txt or check web interface.

Verify Fix Applied:

Verify the version is 2025.03.3 or higher and test the favoriteIcon functionality with safe input.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /favoriteIcon endpoint with script tags or encoded payloads
Multiple failed authentication attempts followed by XSS payloads

Network Indicators:

HTTP requests containing script tags or JavaScript in URL parameters to TeamCity

SIEM Query:

source="teamcity" AND (url="*favoriteIcon*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-52876

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.13% exploit probability (32.9th percentile)

Published: June 23, 2025

Last Updated: June 25, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52876, you might also want to check these: