CVE-2025-68268
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the JetBrains TeamCity storage settings page, which are then executed in victims' browsers when they view the page. It affects all TeamCity instances running versions before 2025.11.1. Attackers could steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full control of TeamCity instance, compromises build pipelines, and potentially accesses source code and credentials stored in the CI/CD system.
Likely Case
Attacker steals user session cookies to gain unauthorized access to TeamCity, potentially modifying build configurations or accessing sensitive build artifacts.
If Mitigated
With proper input validation and output encoding, the malicious script would be rendered harmless as text rather than executed code.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11.1
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup your TeamCity instance. 2. Download TeamCity 2025.11.1 or later from the JetBrains website. 3. Stop the TeamCity service. 4. Install the new version following JetBrains upgrade documentation. 5. Restart the TeamCity service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict access to storage settings
allLimit access to the storage settings page to only necessary administrators using network controls or authentication.
Implement WAF rules
allDeploy a web application firewall with XSS detection rules to block malicious payloads.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Use browser security extensions or network segmentation to limit access to the TeamCity instance.
🔍 How to Verify
Check if Vulnerable:
Check your TeamCity version in the administration interface. If it's below 2025.11.1, you are vulnerable.Check Version:
Check the TeamCity web interface under Administration → Global Settings, or examine the TeamCity server logs for version information.Verify Fix Applied:
After upgrading, confirm the version shows 2025.11.1 or higher in the administration interface.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to storage settings page with script-like parameters
- Multiple failed authentication attempts followed by storage settings access
Network Indicators:
- HTTP requests containing script tags or JavaScript in URL parameters to the storage settings endpoint
SIEM Query:
source="teamcity" AND (url="*/admin/storageSettings.html*" AND (param="*<script>*" OR param="*javascript:*"))