CVE-2025-64760 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: How do I fix CVE-2025-64760?

1. Backup your Tuleap instance and database. 2. Update to patched version using your package manager (apt/yum). 3. Restart Tuleap services. 4. Verify the update completed successfully.

Q: What is the severity of CVE-2025-64760?

CVE-2025-64760 has a CVSS score of 4.6 (MEDIUM). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap that allows attackers to create or remove tracker triggers without proper authorization. All Tuleap Community Edition versions before 17.0.99.1763126988 and Enterprise Edition versions before 17.0-3 and 16.13-8 are affected. Attackers can exploit this by tricking authenticated users into visiting malicious web pages.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap that allows attackers to create or remove tracker triggers without proper authorization. All Tuleap Community Edition versions before 17.0.99.1763126988 and Enterprise Edition versions before 17.0-3 and 16.13-8 are affected. Attackers can exploit this by tricking authenticated users into visiting malicious web pages.

💻 Affected Systems

Products:

Tuleap Community Edition
Tuleap Enterprise Edition

Versions: Community Edition: < 17.0.99.1763126988; Enterprise Edition: < 17.0-3 and < 16.13-8

Operating Systems: All platforms running Tuleap

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations are vulnerable; requires authenticated user sessions for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate tracker triggers to disrupt development workflows, delete important automation rules, or create malicious triggers that execute unauthorized actions when specific conditions are met.

🟠

Likely Case

Attackers modify tracker configurations to disrupt project management, create confusion in development teams, or establish persistence through backdoor triggers.

🟢

If Mitigated

With proper CSRF protections and user awareness, exploitation requires social engineering and authenticated sessions, significantly reducing successful attacks.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires crafting malicious web pages that trigger authenticated requests; no special tools needed beyond basic web development knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Community Edition: 17.0.99.1763126988; Enterprise Edition: 17.0-3 or 16.13-8

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance and database. 2. Update to patched version using your package manager (apt/yum). 3. Restart Tuleap services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Manually add CSRF tokens to tracker trigger endpoints if custom development is possible.

🧯 If You Can't Patch

Implement strict SameSite cookie policies and Content Security Policy headers.
Educate users about phishing risks and require re-authentication for sensitive actions.

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version via web interface Admin > System Info or command: tuleap version

Check Version:

tuleap version

Verify Fix Applied:

Confirm version is 17.0.99.1763126988 or higher for Community Edition, or 17.0-3/16.13-8 or higher for Enterprise Edition.

📡 Detection & Monitoring

Log Indicators:

Unusual tracker trigger creation/deletion events from unexpected IPs
Multiple failed CSRF validation attempts in application logs

Network Indicators:

HTTP POST requests to tracker trigger endpoints without Referer headers or CSRF tokens

SIEM Query:

source="tuleap.log" AND ("tracker trigger" AND ("created" OR "deleted"))

📊 Metadata

CVE ID: CVE-2025-64760

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: December 8, 2025

Last Updated: December 10, 2025

🔗 References

https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 Patch
https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p Vendor Advisory
https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 Patch,Broken Link
https://tuleap.net/plugins/tracker/?aid=45618 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64760, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tuleap by Enalean

Tuleap by Enalean

Tuleap by Enalean

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

CSRF Token Implementation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities