CVE-2025-64499 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: How do I fix CVE-2025-64499?

1. Backup your Tuleap instance. 2. Update to the patched version using your package manager (apt/yum). 3. Restart Tuleap services. 4. Verify the update was successful.

Q: What is the severity of CVE-2025-64499?

CVE-2025-64499 has a CVSS score of 4.6 (MEDIUM). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap's planning management API. Attackers can trick authenticated users into unknowingly creating, editing, or deleting project plans. All Tuleap Community Edition versions before 17.0.99.1762456922 and Enterprise Edition versions before 17.0-2, 16.13-7, and 16.12-10 are affected.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap's planning management API. Attackers can trick authenticated users into unknowingly creating, editing, or deleting project plans. All Tuleap Community Edition versions before 17.0.99.1762456922 and Enterprise Edition versions before 17.0-2, 16.13-7, and 16.12-10 are affected.

💻 Affected Systems

Products:

Tuleap Community Edition
Tuleap Enterprise Edition

Versions: Community Edition: < 17.0.99.1762456922; Enterprise Edition: < 17.0-2, < 16.13-7, < 16.12-10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations with affected versions are vulnerable. The vulnerability exists in the planning management API endpoints.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could delete or modify all project planning data, disrupting development workflows and potentially causing project delays or data loss.

🟠

Likely Case

Attackers modify planning data to disrupt specific projects, create confusion, or insert malicious content into project plans.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is minimal as attacks require user interaction and authentication.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated and tricked into visiting a malicious page. Standard CSRF attack patterns apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Community Edition: 17.0.99.1762456922; Enterprise Edition: 17.0-2, 16.13-7, 16.12-10

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance. 2. Update to the patched version using your package manager (apt/yum). 3. Restart Tuleap services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Implement CSRF Tokens Manually

all

Add CSRF protection to planning API endpoints if custom modifications are possible.

🧯 If You Can't Patch

Restrict access to Tuleap to trusted networks only
Educate users about phishing risks and CSRF attacks

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version via web interface or command line. If version matches affected range, system is vulnerable.

Check Version:

On Linux: dpkg -l | grep tuleap OR rpm -qa | grep tuleap

Verify Fix Applied:

Verify version is updated to patched version and test planning functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual planning modifications from unexpected IPs
Multiple planning changes in short timeframes

Network Indicators:

HTTP requests to planning API without proper referrer headers
CSRF-like attack patterns

SIEM Query:

Search for POST requests to /api/planning/* endpoints with suspicious referrers or user agents

📊 Metadata

CVE ID: CVE-2025-64499

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: December 8, 2025

Last Updated: December 10, 2025

🔗 References

https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526 Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526 Patch,Broken Link
https://tuleap.net/plugins/tracker/?aid=45592 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64499, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tuleap by Enalean

Tuleap by Enalean

Tuleap by Enalean

Tuleap by Enalean

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement CSRF Tokens Manually

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities