CVE-2025-68165
📋 TL;DR
JetBrains TeamCity versions before 2025.11 contain a reflected cross-site scripting (XSS) vulnerability in the VCS Root setup interface. This allows attackers to inject malicious scripts that execute in users' browsers when they visit specially crafted URLs. Organizations using vulnerable TeamCity instances are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full TeamCity compromise.
Likely Case
Attackers trick authenticated users into clicking malicious links, leading to session hijacking or unauthorized actions within TeamCity.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
Exploitation requires tricking authenticated users into clicking malicious URLs; reflected XSS typically has low technical complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.11 or later from JetBrains website. 3. Follow JetBrains upgrade documentation for your deployment method (Windows/Linux/Docker). 4. Restart TeamCity services.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall (WAF) rules to filter malicious script patterns in VCS Root parameters.
WAF-specific configuration required; consult your WAF documentation for XSS rule setup.
🧯 If You Can't Patch
- Restrict access to TeamCity interface to trusted users only using network segmentation or VPN.
- Implement Content Security Policy (CSP) headers to mitigate script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Global Settings; if version is below 2025.11, system is vulnerable.Check Version:
On TeamCity server: cat /opt/teamcity/version.txt (Linux) or check TeamCity installation directory (Windows).Verify Fix Applied:
After upgrade, verify version is 2025.11 or higher in same location; test VCS Root setup interface with safe payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to VCS Root endpoints with script-like parameters in access logs.
Network Indicators:
- HTTP requests containing <script> tags or javascript: URIs in VCS Root-related URLs.
SIEM Query:
source="teamcity_access.log" AND uri_path="/app/rest/vcs-roots" AND (query="*<script>*" OR query="*javascript:*")