CVE-2025-68166 is a DOM-based Cross-Site Scripting (XSS) vulnerability identified in JetBrains TeamCity, a widely used continuous integration and deployment server. The flaw exists in versions prior to 2025.11 and specifically affects the OAuth connections tab within the TeamCity web interface. DOM-based XSS occurs when client-side scripts write untrusted data to the Document Object Model (DOM) without proper sanitization, allowing attackers to inject and execute arbitrary JavaScript code in the victim’s browser. In this case, an attacker can craft a malicious link or payload that, when a user with access to the OAuth connections tab interacts with it, executes scripts that could steal session tokens, manipulate the user interface, or perform unauthorized actions on behalf of the user. The vulnerability requires user interaction (e.g., clicking a crafted link) but does not require any authentication or elevated privileges, increasing the attack surface. The CVSS 3.1 base score of 5.4 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, and impacts limited confidentiality and integrity but no availability impact. No public exploits have been reported yet, and JetBrains has not published a patch link at the time of this report. The vulnerability is tracked under CWE-79, which covers improper neutralization of input leading to XSS. Given TeamCity’s role in managing build and deployment pipelines, exploitation could lead to unauthorized access to build information or manipulation of deployment processes if combined with other vulnerabilities or social engineering.

For European organizations, this vulnerability poses a risk primarily to confidentiality and integrity of the continuous integration environment. Attackers exploiting this flaw could hijack user sessions, steal sensitive tokens, or perform unauthorized actions within TeamCity, potentially leading to exposure of build configurations, credentials, or deployment pipelines. This could facilitate further attacks on software supply chains or internal networks. Although the vulnerability does not directly impact availability, the indirect consequences of compromised build systems could be severe, including insertion of malicious code into software releases. Organizations with large development teams relying on TeamCity, especially those integrating OAuth for authentication or third-party services, are at higher risk. The medium severity suggests that while the threat is not critical, it should not be ignored, particularly in sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure prevalent in Europe.

1. Apply official patches or updates from JetBrains as soon as they become available for TeamCity 2025.11 or later versions. 2. Until patches are released, restrict access to the OAuth connections tab to trusted administrators only, minimizing exposure to untrusted users. 3. Implement strict Content Security Policies (CSP) on the TeamCity web interface to limit the execution of inline scripts and reduce the risk of XSS exploitation. 4. Educate users and administrators about the risks of clicking untrusted links, especially those targeting the TeamCity interface. 5. Monitor web server and application logs for suspicious activity related to the OAuth connections tab. 6. Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads targeting TeamCity. 7. Review and harden OAuth configurations to ensure minimal privileges and secure token handling. 8. Conduct internal security assessments and penetration tests focusing on the TeamCity environment to identify any other potential weaknesses.