CVE-2025-64760 identifies a Cross-Site Request Forgery (CSRF) vulnerability in Enalean's Tuleap software, a widely used open-source suite for software development management and collaboration. The vulnerability exists in versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Enterprise Editions prior to 17.0-3 and 16.13-8, where CSRF protections are missing. This absence allows an attacker who has limited privileges (requires authentication) and can induce a user to interact with a malicious web page to perform unauthorized actions such as creating or removing tracker triggers within the Tuleap system. These tracker triggers are automation rules that can affect workflow and project management processes. The CVSS v3.1 score of 4.6 reflects a medium severity, with attack vector being network-based, low attack complexity, requiring privileges and user interaction, and impacting integrity and availability but not confidentiality. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged to disrupt project tracking and management, potentially causing workflow disruptions or denial of service conditions. The issue has been addressed in the latest Community and Enterprise editions, and users are advised to upgrade to these versions to remediate the vulnerability.

For European organizations, especially those involved in software development, project management, and collaborative engineering, this vulnerability poses a risk to the integrity and availability of project tracking data. Successful exploitation could allow attackers to manipulate tracker triggers, potentially disrupting automated workflows, causing erroneous task assignments, or triggering denial of service conditions within the Tuleap environment. This could lead to project delays, loss of productivity, and operational disruptions. While confidentiality is not directly impacted, the integrity and availability issues could indirectly affect compliance with regulatory requirements around operational resilience and data accuracy. Public sector entities, research institutions, and private enterprises relying on Tuleap for critical software development processes in Europe could face significant operational challenges if this vulnerability is exploited.

Organizations should immediately upgrade affected Tuleap installations to Community Edition version 17.0.99.1763126988 or Enterprise Edition versions 17.0-3 or 16.13-8 where the CSRF protections are implemented. In addition to patching, administrators should enforce strict session management and implement Content Security Policy (CSP) headers to reduce the risk of CSRF attacks. Employing anti-CSRF tokens in all state-changing requests and validating the Origin and Referer headers can provide additional layers of defense. Restricting user privileges to the minimum necessary and educating users about the risks of interacting with untrusted web content can further reduce exploitation likelihood. Monitoring logs for unusual tracker trigger creation or deletion activities can help detect attempted exploitation. Finally, integrating Tuleap instances behind web application firewalls (WAFs) with CSRF protection rules can provide an additional security barrier.