CVE-2025-54536 – This Cross-Site Request Forgery (CSRF) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-54536?

CVE-2025-54536 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Request Forgery (CSRF) vulnerability in JetBrains TeamCity allows attackers to trick authenticated users into performing unintended GraphQL operations. Attackers could modify data or perform actions on behalf of users. All TeamCity instances before version 2025.07 are affected.

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in JetBrains TeamCity allows attackers to trick authenticated users into performing unintended GraphQL operations. Attackers could modify data or perform actions on behalf of users. All TeamCity instances before version 2025.07 are affected.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2025.07

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to be authenticated and tricked into visiting malicious site while logged into TeamCity.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify user permissions, delete projects, or alter build configurations through forged GraphQL requests executed by authenticated administrators.

🟠

Likely Case

Attackers could trick users into changing their own settings, modifying build configurations they have access to, or performing other GraphQL operations within their permission scope.

🟢

If Mitigated

With proper CSRF protections or when exploited against low-privilege users, impact is limited to actions within the user's existing permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and relatively easy to implement once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.07

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.07 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade guide. 5. Restart TeamCity service.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add custom CSRF protection to GraphQL endpoints using anti-CSRF tokens

Restrict GraphQL Access

all

Limit GraphQL endpoint access through network controls or web application firewalls

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require additional authentication for sensitive GraphQL operations
Deploy web application firewall with CSRF protection rules and monitor for suspicious GraphQL requests

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Global Settings. If version is below 2025.07, system is vulnerable.

Check Version:

Check TeamCity web interface at Administration → Server Administration → Global Settings

Verify Fix Applied:

After upgrade, verify version shows 2025.07 or higher in Administration → Server Administration → Global Settings.

📡 Detection & Monitoring

Log Indicators:

Unusual GraphQL requests from unexpected referrers
Multiple failed GraphQL operations from same user session

Network Indicators:

GraphQL POST requests without expected CSRF tokens
Requests with mismatched Origin/Referer headers

SIEM Query:

source="teamcity.log" AND ("GraphQL" AND "POST") AND NOT referer="*teamcity*"

📊 Metadata

CVE ID: CVE-2025-54536

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: July 28, 2025

Last Updated: July 31, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54536, you might also want to check these: