CVE-2025-54528
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in JetBrains TeamCity's GitHub App connection flow allows attackers to trick authenticated users into performing unauthorized actions. This affects TeamCity administrators who configure GitHub integrations. The vulnerability could lead to unauthorized GitHub App connections being established.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could establish malicious GitHub App connections that exfiltrate repository data, inject malicious code into CI/CD pipelines, or compromise build artifacts.
Likely Case
Unauthorized GitHub App connections established, potentially leading to repository access by unauthorized parties or disruption of CI/CD workflows.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts would fail, maintaining secure GitHub App connections.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link while logged into TeamCity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.07 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.07 or later from JetBrains website. 3. Follow the official upgrade guide for your deployment method (Windows installer, WAR file, Docker). 4. Restart TeamCity services after upgrade.
🔧 Temporary Workarounds
CSRF Protection Headers
allConfigure web server or reverse proxy to add CSRF protection headers like SameSite cookies and Content-Security-Policy.
# For nginx: add_header Set-Cookie "Path=/; HttpOnly; SameSite=Strict";
# For Apache: Header always set Set-Cookie "Path=/; HttpOnly; SameSite=Strict"
Restrict GitHub App Configuration
allTemporarily disable or restrict GitHub App connection configuration to authorized administrators only.
# Use TeamCity's role-based access control to restrict 'Edit Project' and 'Administer Server' permissions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TeamCity from untrusted networks.
- Enforce multi-factor authentication for all administrator accounts and educate users about CSRF risks.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → Version. If version is earlier than 2025.07 and GitHub App connections are configured, the system is vulnerable.Check Version:
On TeamCity server: cat /opt/teamcity/version.txt or check web interface at /admin/admin.html?item=diagnosticsVerify Fix Applied:
After upgrading to 2025.07 or later, verify the version shows 2025.07+ and test GitHub App connection flow for CSRF tokens.📡 Detection & Monitoring
Log Indicators:
- Unexpected GitHub App connection attempts from unusual IP addresses
- Multiple failed authentication attempts followed by GitHub App configuration changes
Network Indicators:
- HTTP POST requests to /app/rest/vcs-roots without proper referrer headers
- Cross-origin requests to TeamCity GitHub integration endpoints
SIEM Query:
source="teamcity.log" AND ("github.app" OR "vcs-roots") AND status=200 AND referrer NOT CONTAINS "teamcity"