CVE-2025-67741
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into session attributes that persist and execute when other users view affected pages. It affects all TeamCity instances running versions before 2025.11, potentially compromising user sessions and data.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform actions as authenticated users, or deploy malware to client browsers.
Likely Case
Attackers with access to session attributes could inject scripts that steal session cookies or credentials from users viewing affected pages.
If Mitigated
With proper input validation and output encoding, the impact is limited to script execution in user browsers without server compromise.
🎯 Exploit Status
Exploitation requires ability to modify session attributes, which typically requires some level of access to the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity installation and database
2. Download TeamCity 2025.11 or later from JetBrains website
3. Stop the TeamCity service
4. Install the new version following JetBrains upgrade guide
5. Restart TeamCity service
6. Verify the version is 2025.11 or higher
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation to sanitize session attributes before storage
Implement server-side validation for all session attribute inputs
Use appropriate encoding functions when outputting session data
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Monitor and audit session attribute modifications for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health → VersionCheck Version:
Check TeamCity web interface at Administration → Server Administration → Server Health → VersionVerify Fix Applied:
Confirm version is 2025.11 or higher in Administration → Server Administration → Server Health → Version📡 Detection & Monitoring
Log Indicators:
- Unusual session attribute modifications
- JavaScript execution errors in server logs
- Multiple failed login attempts following session changes
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests
- Suspicious session cookie usage patterns
SIEM Query:
Search for 'session attribute' modifications in TeamCity logs combined with script-like patterns