CVE-2025-64117: CWE-352: Cross-Site Request Forgery (CSRF) in Enalean tuleap
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in the management of SVN commit rules and immutable tags. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8 contain a fix for the issue.
AI Analysis
Technical Summary
CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Enalean's Tuleap software, an open-source suite designed to facilitate software development management and collaboration. The vulnerability exists in versions prior to 16.13.99.1761813675 for the Community Edition and prior to 16.13-5 and 16.12-8 for the Enterprise Editions. Specifically, the issue arises due to the absence of CSRF protection mechanisms in the management interfaces for Subversion (SVN) commit rules and immutable tags. An attacker with limited privileges can exploit this vulnerability by tricking an authenticated user into submitting a crafted request that changes SVN commit rules or immutable tags without the user's consent. This manipulation could alter repository policies, potentially allowing unauthorized commits or preventing legitimate changes, thereby impacting the integrity and availability of the software development process. The vulnerability requires the victim to be authenticated and to interact with a malicious link or page, limiting the attack scope. The CVSS v3.1 base score is 4.6 (medium), reflecting network attack vector, low attack complexity, privileges required, user interaction, and limited impact on integrity and availability but no confidentiality impact. No public exploits are known at this time. The issue has been addressed in the specified fixed versions of Tuleap, which implement proper CSRF protections in the affected components.
Potential Impact
For European organizations, especially those relying on Tuleap for managing software development and SVN repositories, this vulnerability could lead to unauthorized changes in repository commit rules or immutable tags. Such unauthorized modifications may disrupt development workflows, cause integration issues, or introduce risks by allowing unintended code changes or blocking legitimate ones. While the vulnerability does not directly expose sensitive data (no confidentiality impact), it undermines the integrity and availability of development processes, which can delay projects and increase operational risk. Organizations in sectors with strict software supply chain requirements, such as finance, healthcare, and critical infrastructure, may face compliance and operational challenges if exploited. The requirement for user interaction and privileges reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, particularly in environments with less stringent access controls or user awareness.
Mitigation Recommendations
European organizations should immediately verify their Tuleap versions and upgrade to Community Edition 16.13.99.1761813675 or Enterprise Editions 16.13-5 / 16.12-8 or later to ensure CSRF protections are in place. In addition to patching, organizations should enforce strict access controls and least privilege principles to limit the number of users with permissions to modify SVN commit rules and immutable tags. Implementing multi-factor authentication (MFA) can reduce the risk of compromised credentials being used to exploit this vulnerability. Security awareness training should emphasize the risks of CSRF and encourage cautious behavior regarding unsolicited links or requests while authenticated. Network-level protections such as web application firewalls (WAFs) can be tuned to detect and block suspicious CSRF attempts targeting Tuleap endpoints. Regular audits of repository settings and commit rules can help detect unauthorized changes early. Finally, organizations should monitor Tuleap security advisories for any updates or emerging exploit reports.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2025-64117: CWE-352: Cross-Site Request Forgery (CSRF) in Enalean tuleap
Description
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in the management of SVN commit rules and immutable tags. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1761813675, Tuleap Enterprise Edition 16.13-5, and Tuleap Enterprise Edition 16.12-8 contain a fix for the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-64117 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Enalean's Tuleap software, an open-source suite designed to facilitate software development management and collaboration. The vulnerability exists in versions prior to 16.13.99.1761813675 for the Community Edition and prior to 16.13-5 and 16.12-8 for the Enterprise Editions. Specifically, the issue arises due to the absence of CSRF protection mechanisms in the management interfaces for Subversion (SVN) commit rules and immutable tags. An attacker with limited privileges can exploit this vulnerability by tricking an authenticated user into submitting a crafted request that changes SVN commit rules or immutable tags without the user's consent. This manipulation could alter repository policies, potentially allowing unauthorized commits or preventing legitimate changes, thereby impacting the integrity and availability of the software development process. The vulnerability requires the victim to be authenticated and to interact with a malicious link or page, limiting the attack scope. The CVSS v3.1 base score is 4.6 (medium), reflecting network attack vector, low attack complexity, privileges required, user interaction, and limited impact on integrity and availability but no confidentiality impact. No public exploits are known at this time. The issue has been addressed in the specified fixed versions of Tuleap, which implement proper CSRF protections in the affected components.
Potential Impact
For European organizations, especially those relying on Tuleap for managing software development and SVN repositories, this vulnerability could lead to unauthorized changes in repository commit rules or immutable tags. Such unauthorized modifications may disrupt development workflows, cause integration issues, or introduce risks by allowing unintended code changes or blocking legitimate ones. While the vulnerability does not directly expose sensitive data (no confidentiality impact), it undermines the integrity and availability of development processes, which can delay projects and increase operational risk. Organizations in sectors with strict software supply chain requirements, such as finance, healthcare, and critical infrastructure, may face compliance and operational challenges if exploited. The requirement for user interaction and privileges reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, particularly in environments with less stringent access controls or user awareness.
Mitigation Recommendations
European organizations should immediately verify their Tuleap versions and upgrade to Community Edition 16.13.99.1761813675 or Enterprise Editions 16.13-5 / 16.12-8 or later to ensure CSRF protections are in place. In addition to patching, organizations should enforce strict access controls and least privilege principles to limit the number of users with permissions to modify SVN commit rules and immutable tags. Implementing multi-factor authentication (MFA) can reduce the risk of compromised credentials being used to exploit this vulnerability. Security awareness training should emphasize the risks of CSRF and encourage cautious behavior regarding unsolicited links or requests while authenticated. Network-level protections such as web application firewalls (WAFs) can be tuned to detect and block suspicious CSRF attempts targeting Tuleap endpoints. Regular audits of repository settings and commit rules can help detect unauthorized changes early. Finally, organizations should monitor Tuleap security advisories for any updates or emerging exploit reports.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-10-27T15:26:14.128Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6914e033789e20b800798ce4
Added to database: 11/12/2025, 7:29:55 PM
Last enriched: 11/19/2025, 7:58:16 PM
Last updated: 12/28/2025, 1:18:34 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
LangChain core vulnerability allows prompt injection and data exposure
MediumCVE-2025-14177: CWE-125 Out-of-bounds Read in PHP Group PHP
MediumCVE-2025-14180: CWE-476 NULL Pointer Dereference in PHP Group PHP
HighCVE-2025-14178: CWE-787 Out-of-bounds Write in PHP Group PHP
MediumCVE-2025-15109: Unrestricted Upload in jackq XCMS
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.