CVE-2025-68267
📋 TL;DR
JetBrains TeamCity versions before 2025.11.1 stored GitHub personal access tokens instead of installation tokens, granting excessive privileges. This vulnerability allows attackers with access to these tokens to perform unauthorized actions on GitHub repositories. Organizations using TeamCity with GitHub integration are affected.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain full administrative access to GitHub repositories, allowing code modification, data exfiltration, or injection of malicious code into production pipelines.
Likely Case
Unauthorized access to GitHub repositories leading to source code theft, pipeline manipulation, or privilege escalation within the CI/CD environment.
If Mitigated
Limited impact with proper token rotation, repository access controls, and network segmentation in place.
🎯 Exploit Status
Exploitation requires access to stored tokens, which could be obtained through other vulnerabilities or misconfigurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.11.1 from official JetBrains website. 3. Stop TeamCity service. 4. Install the update following JetBrains upgrade documentation. 5. Restart TeamCity service. 6. Verify GitHub integration uses installation tokens.
🔧 Temporary Workarounds
Rotate GitHub Personal Access Tokens
allImmediately revoke and regenerate all GitHub personal access tokens used by TeamCity with minimal necessary permissions.
Navigate to GitHub Settings > Developer settings > Personal access tokens > Tokens (classic), revoke affected tokens
Replace with GitHub App Installation Tokens
allMigrate from personal access tokens to GitHub App installation tokens which have limited, repository-specific permissions.
Follow GitHub documentation to create a GitHub App and generate installation tokens
🧯 If You Can't Patch
- Immediately rotate all GitHub personal access tokens and audit repository access
- Implement network segmentation to restrict TeamCity server access and monitor for unusual GitHub API calls
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Server Administration > Server Health > Version. If version is below 2025.11.1 and GitHub integration is configured, the system is vulnerable.Check Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
After updating to 2025.11.1, verify GitHub integration uses installation tokens by checking project settings and reviewing token permissions in GitHub.📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub API calls from TeamCity IP addresses
- Failed authentication attempts to GitHub repositories
- Unexpected repository access patterns
Network Indicators:
- Abnormal traffic to GitHub API endpoints from TeamCity servers
- Unexpected repository cloning or pushing activity
SIEM Query:
source="teamcity" AND ("github.com" OR "api.github.com") AND status!=200