CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Enalean's Tuleap software, an open-source suite used for managing software development and collaboration. The vulnerability exists in versions prior to 16.13.99.1761813675 for the Community Edition and prior to 16.13-5 and 16.12-8 for the Enterprise Edition. It specifically affects the management of SVN commit rules and immutable tags, allowing an attacker to craft malicious requests that, when executed by an authenticated user, can alter these critical repository settings without the user's consent. The vulnerability requires the victim to be authenticated and to interact with a malicious link or page, as it exploits the lack of proper CSRF protections in the affected Tuleap versions. The CVSS v3.1 base score is 4.6 (medium), reflecting that the attack vector is network-based with low attack complexity but requires privileges and user interaction. The impact primarily affects the integrity and availability of the SVN repositories managed by Tuleap, potentially leading to unauthorized changes in commit policies or tag immutability, which can disrupt development workflows and compromise codebase stability. No public exploits have been reported so far, but the vulnerability's presence in widely used project management software makes it a concern for organizations relying on Tuleap for source code management. The issue has been addressed in the specified patched versions, which implement proper CSRF protections to prevent unauthorized state-changing requests.

For European organizations, the vulnerability poses a risk to the integrity and availability of software repositories managed via Tuleap. Unauthorized changes to SVN commit rules or immutable tags could lead to unauthorized code commits, rollback of critical tags, or disruption of development processes, potentially delaying projects or introducing security risks in the software supply chain. Organizations heavily reliant on Tuleap for collaborative development, especially those in regulated industries or with strict software quality requirements, may face operational and compliance challenges if exploited. While confidentiality is not directly impacted, the integrity and availability of critical development assets are at risk. The requirement for authenticated users and user interaction limits the attack scope but does not eliminate risk, especially in environments with many users or where phishing/social engineering could be effective. The absence of known exploits reduces immediate threat but patching remains critical to prevent future attacks.

1. Upgrade affected Tuleap installations to the fixed versions: Community Edition 16.13.99.1761813675 or Enterprise Editions 16.13-5 and 16.12-8. 2. Implement and enforce strict CSRF protections in all web applications, including Tuleap, to prevent unauthorized state-changing requests. 3. Review and minimize user privileges, ensuring only necessary users have permissions to modify SVN commit rules and immutable tags. 4. Educate users about phishing and social engineering risks to reduce the chance of malicious link clicks that could trigger CSRF attacks. 5. Monitor repository configuration changes and audit logs for unusual or unauthorized modifications to commit rules or tags. 6. Employ web application firewalls (WAFs) with CSRF detection capabilities as an additional layer of defense. 7. Regularly review and update security policies related to software development lifecycle tools and access controls.