CVE-2025-50179
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-08-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | to 16.8.99.1749830289 (exc) |
| enalean | tuleap | to 16.9-1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50179 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap's tracker reports functionality. It occurs because there was no CSRF protection when creating, updating, or deleting tracker reports. This allows an attacker to trick authenticated users into performing unauthorized actions on tracker reports, such as modifying or deleting them without their consent. The vulnerability affects versions prior to Tuleap Community Edition 16.8.99.1749830289 and Tuleap Enterprise Edition 16.9-1, where a patch was introduced to enforce CSRF token validation on all tracker report manipulation operations. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to remotely trick authenticated users into making unauthorized changes to tracker reports in Tuleap. Although it does not disclose confidential information, it can lead to unauthorized modifications (integrity impact) and some availability impact on the tracker reports. The attacker requires low privileges and user interaction (such as clicking a malicious link) to exploit this vulnerability, which could disrupt normal operations or corrupt data related to software development tracking. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing CSRF protection in Tuleap tracker report manipulation. Detection would involve checking if your Tuleap installation is a vulnerable version prior to Community Edition 16.8.99.1749830289 or Enterprise Edition 16.9-1. There are no specific network commands provided to detect exploitation attempts. However, you can verify the Tuleap version installed on your system to determine if it is vulnerable. Additionally, monitoring for unexpected changes to tracker reports or unusual POST requests to tracker report endpoints without valid CSRF tokens could indicate exploitation attempts. Specific commands to check version or logs are not provided in the resources. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade your Tuleap installation to Community Edition version 16.8.99.1749830289 or later, or Enterprise Edition version 16.9-1 or later, where the CSRF protection fix has been applied. The fix enforces CSRF token validation on all tracker report manipulation actions, preventing unauthorized changes. Until you can upgrade, consider restricting access to the tracker report manipulation functionality to trusted users only and monitor for suspicious activity. Applying the official patch or update from Tuleap is the recommended mitigation. [1, 2, 3]