CVE-2025-68166 – This DOM-based cross-site scripting (XSS) vulne... (How to Fix)

Q: What is the severity of CVE-2025-68166?

CVE-2025-68166 has a CVSS score of 5.4 (MEDIUM). This DOM-based cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into the OAuth connections tab. When exploited, it could enable session hijacking, credential theft, or unauthorized actions within authenticated sessions. Organizations running vulnerable TeamCity instances are affected.

📋 TL;DR

This DOM-based cross-site scripting (XSS) vulnerability in JetBrains TeamCity allows attackers to inject malicious scripts into the OAuth connections tab. When exploited, it could enable session hijacking, credential theft, or unauthorized actions within authenticated sessions. Organizations running vulnerable TeamCity instances are affected.

💻 Affected Systems

Products:

JetBrains TeamCity

Versions: All versions before 2025.11

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the OAuth connections tab, which typically requires administrative privileges.

📦 What is this software?

Teamcity by Jetbrains

View all CVEs affecting Teamcity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, compromise the entire TeamCity instance, and pivot to internal systems or source code repositories.

🟠

Likely Case

Attackers could hijack user sessions, perform unauthorized actions within TeamCity, or steal sensitive build configuration data.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the TeamCity application itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to the OAuth connections tab and user interaction with malicious payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.11 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.11 or later from JetBrains website. 3. Follow the official TeamCity upgrade guide. 4. Restart TeamCity services.

🔧 Temporary Workarounds

Restrict OAuth Connections Tab Access

all

Limit access to the vulnerable OAuth connections tab to essential administrators only.

Implement Content Security Policy

all

Add strict CSP headers to mitigate XSS impact.

🧯 If You Can't Patch

Implement strict network access controls to limit TeamCity exposure
Enable audit logging for all OAuth connection tab activities

🔍 How to Verify

Check if Vulnerable:

Check TeamCity version in Administration → Server Administration → Server Health → Version

Check Version:

Check TeamCity web interface or server logs for version information

Verify Fix Applied:

Verify version is 2025.11 or later in the same location

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth configuration changes
Multiple failed authentication attempts to OAuth endpoints

Network Indicators:

Suspicious JavaScript payloads in HTTP requests to OAuth endpoints

SIEM Query:

source="teamcity" AND (event="oauth_config_change" OR event="admin_action")

📊 Metadata

CVE ID: CVE-2025-68166

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.13% exploit probability (32th percentile)

Published: December 16, 2025

Last Updated: December 18, 2025

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68166, you might also want to check these: