CVE-2025-64498
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap project management software that allows attackers to trick authenticated users into changing tracker general settings without their consent. It affects Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7, and 16.12-10. Attackers can exploit this by luring victims to malicious websites while they're logged into Tuleap.
💻 Affected Systems
- Tuleap Community Edition
- Tuleap Enterprise Edition
📦 What is this software?
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
Tuleap by Enalean
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify tracker configurations to disrupt project workflows, alter data collection forms, change permissions, or redirect data to unauthorized locations, potentially causing operational disruption and data integrity issues.
Likely Case
Attackers trick users into making unintended changes to tracker settings, which could lead to misconfigured workflows, altered data validation rules, or changed notification settings affecting project management processes.
If Mitigated
With proper CSRF protections and user awareness, the impact is limited to minor configuration changes that can be detected and reverted by administrators.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into visiting malicious websites. The technical complexity is low as it's a standard CSRF attack pattern.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Community Edition: 17.0.99.1762444754; Enterprise Edition: 17.0-2, 16.13-7, 16.12-10
Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg
Restart Required: Yes
Instructions:
1. Backup your Tuleap installation and database. 2. Update to the patched version using your distribution's package manager or Tuleap upgrade process. 3. Restart Tuleap services. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Implement CSRF Protection Headers
linuxAdd Content Security Policy headers to help prevent CSRF attacks
# Add to web server configuration (Apache example):
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
🧯 If You Can't Patch
- Implement strict SameSite cookie policies for Tuleap sessions
- Educate users about the risks of clicking unknown links while logged into Tuleap
🔍 How to Verify
Check if Vulnerable:
Check Tuleap version via web interface (Admin > System Info) or command line: cat /etc/tuleap/conf/VERSIONCheck Version:
cat /etc/tuleap/conf/VERSIONVerify Fix Applied:
Verify version is equal to or higher than patched versions: Community Edition >= 17.0.99.1762444754; Enterprise Edition >= 17.0-2 or >= 16.13-7 or >= 16.12-10📡 Detection & Monitoring
Log Indicators:
- Unusual tracker setting changes from unexpected IP addresses
- Multiple tracker configuration changes in short timeframes
- User sessions with unexpected referrer headers
Network Indicators:
- HTTP requests to tracker settings endpoints with missing or malformed CSRF tokens
- Requests from external domains to Tuleap tracker endpoints
SIEM Query:
source="tuleap_access.log" AND (uri="/plugins/tracker/admin" OR uri CONTAINS "/plugins/tracker/") AND (http_referer NOT CONTAINS "your-tuleap-domain.com" OR csrf_token="")🔗 References
- https://github.com/Enalean/tuleap/commit/993316dd6a291bb3937cb7a4571eaab0e7d55370
- https://github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=993316dd6a291bb3937cb7a4571eaab0e7d55370
- https://tuleap.net/plugins/tracker/?aid=45593
