CVE-2025-64499 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Enalean's Tuleap software, a widely used open-source suite for software development management and collaboration. The vulnerability affects versions prior to 17.0.99.1762456922 for the Community Edition and versions prior to 17.0-2, 16.13-7, and 16.12-10 for the Enterprise Edition. The flaw resides in the planning management API, where insufficient validation of requests allows an attacker to trick an authenticated user into executing unwanted actions such as creating, editing, or deleting project plans. The attack requires the victim to be authenticated and to perform an action that triggers the malicious request, typically via social engineering or malicious web content. The CVSS 3.1 base score is 4.6, reflecting a medium severity level, with attack vector being network-based, low attack complexity, requiring privileges, and user interaction. The vulnerability impacts the integrity and availability of planning data but does not compromise confidentiality. No known exploits have been reported in the wild as of the publication date. The issue is resolved in the specified patched versions of Tuleap. This vulnerability could disrupt project management workflows and potentially cause data loss or unauthorized plan modifications, impacting software development processes.

For European organizations, the impact of CVE-2025-64499 centers on the integrity and availability of project planning data within Tuleap environments. Organizations relying on Tuleap for managing software development and collaboration could face unauthorized changes to project plans, leading to project delays, mismanagement, or loss of critical planning information. While confidentiality is not directly impacted, the disruption to workflows can have downstream effects on operational efficiency and trust in project management tools. Public sector entities, research institutions, and private companies using Tuleap with exposed or weakly protected user sessions are particularly vulnerable. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with insufficient session management or user training. The absence of known exploits reduces immediate risk but underscores the importance of timely patching to prevent future exploitation. The vulnerability may also be leveraged as part of a broader attack chain targeting software development infrastructure.

1. Upgrade all affected Tuleap installations to the fixed versions: Community Edition 17.0.99.1762456922 or Enterprise Editions 17.0-2, 16.13-7, and 16.12-10 or later. 2. Implement and enforce strict anti-CSRF tokens on all API endpoints, especially those related to planning management, to ensure requests are legitimate and user-initiated. 3. Review and tighten session management policies, including shortening session lifetimes and enforcing secure cookie attributes (HttpOnly, Secure, SameSite). 4. Educate users about the risks of CSRF and the importance of not interacting with suspicious links or web content while authenticated to Tuleap. 5. Monitor API logs for unusual or unauthorized plan modification activities to detect potential exploitation attempts early. 6. Restrict access to Tuleap management APIs via network controls such as IP whitelisting or VPN requirements where feasible. 7. Conduct regular security assessments and penetration testing focused on web application vulnerabilities including CSRF. 8. Consider implementing multi-factor authentication to reduce risk from compromised credentials.