CVE-2025-68163
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into the agentpushInstall page, which are then executed when users view that page. It affects TeamCity administrators and users who access the compromised page. The vulnerability requires an attacker to have access to inject content into the affected page.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could inject malicious JavaScript that steals administrator session cookies, leading to full TeamCity compromise and potential access to connected build systems and source code repositories.
Likely Case
Attackers with access to TeamCity could inject scripts to perform session hijacking, deface pages, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the TeamCity instance and the ability to inject content into the agentpushInstall page. The XSS payload would execute when other users view the compromised page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance. 2. Download TeamCity 2025.11 or later from the JetBrains website. 3. Stop the TeamCity server. 4. Install the new version following JetBrains upgrade documentation. 5. Restart the TeamCity server. 6. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict access to agentpushInstall page
allLimit access to the vulnerable page using network controls or authentication requirements
Implement Content Security Policy
allAdd CSP headers to prevent execution of injected scripts
Add 'Content-Security-Policy' header with appropriate directives to your TeamCity server configuration
🧯 If You Can't Patch
- Implement strict input validation and output encoding for the agentpushInstall page
- Monitor and audit access to the agentpushInstall page for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your TeamCity version in the administration interface or by examining the server logs. If version is below 2025.11, you are vulnerable.Check Version:
Check the TeamCity web interface under Administration → Global Settings, or examine the TeamCity server logs for version information.Verify Fix Applied:
After upgrading, verify the version shows 2025.11 or higher in the TeamCity administration interface.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to agentpushInstall page content
- Multiple failed attempts to access or modify the vulnerable page
- Suspicious JavaScript payloads in request logs
Network Indicators:
- Unusual traffic patterns to the agentpushInstall page
- Requests containing script tags or JavaScript code targeting the vulnerable endpoint
SIEM Query:
source="teamcity" AND (uri_path="/agentpushInstall" OR message="agentpushInstall") AND (message="script" OR message="javascript" OR message="onload" OR message="onerror")