CVE-2025-64760 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Enalean's Tuleap software, a widely used open-source platform for software development management and collaboration. The vulnerability exists in versions prior to 17.0.99.1763126988 for the Community Edition and prior to 17.0-3 and 16.13-8 for the Enterprise Editions. The root cause is the absence of adequate CSRF protections on endpoints that manage tracker triggers, which are automation rules within Tuleap used to perform actions based on certain events. This lack of CSRF tokens or equivalent anti-CSRF mechanisms allows an attacker to craft malicious web requests that, when executed by an authenticated user, can create or delete tracker triggers without the user's explicit consent. The CVSS v3.1 base score is 4.6, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). Although exploitation requires the attacker to have some level of user privileges and to convince the user to interact with a malicious link or page, the vulnerability can lead to unauthorized changes in the workflow automation, potentially disrupting development processes or causing unintended actions. No public exploits have been reported yet, but the vulnerability's presence in widely used versions makes it a relevant risk. The issue was addressed by Enalean in the specified patched versions, which introduced proper CSRF protections to the affected endpoints.

For European organizations, especially those relying on Tuleap for software project management and collaboration, this vulnerability poses a risk to the integrity and availability of their development workflows. Unauthorized creation or deletion of tracker triggers could disrupt automated processes, leading to potential delays, mismanagement of tasks, or erroneous triggering of actions that affect project tracking and quality assurance. While confidentiality is not directly impacted, the integrity of project data and operational continuity could be compromised. Organizations in sectors with stringent compliance requirements or critical software development lifecycles may face operational risks and reputational damage if such disruptions occur. The requirement for user interaction and privileges limits the attack scope but does not eliminate risk, particularly in environments where users have elevated permissions or where social engineering is effective. Given the collaborative nature of Tuleap, the vulnerability could be exploited internally or via targeted phishing campaigns. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation attempts.

European organizations should promptly upgrade affected Tuleap instances to the fixed versions: Community Edition 17.0.99.1763126988 or Enterprise Editions 17.0-3 and 16.13-8. Until upgrades are applied, administrators should implement strict network segmentation and access controls to limit exposure of Tuleap web interfaces to trusted users only. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF-like requests can provide interim protection. User education on phishing and social engineering risks is critical to reduce the likelihood of successful exploitation requiring user interaction. Additionally, reviewing and minimizing user privileges within Tuleap can reduce the impact scope, ensuring only necessary users have permissions to modify tracker triggers. Monitoring logs for unusual changes to tracker triggers can help detect attempted exploitation. Finally, organizations should maintain an incident response plan tailored to software development platform compromises.