CVE-2025-52899
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | to 16.8-4 (exc) |
| enalean | tuleap | to 16.9.99.1750843170 (exc) |
| enalean | tuleap | From 16.9 (inc) to 16.9-2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52899 is a vulnerability in Tuleap's "forgot password" form that allows an attacker to perform user enumeration. The form behaves differently depending on whether the submitted username exists, revealing valid usernames to attackers. This happens because the system returns distinct error messages when an account does not exist. The vulnerability was fixed by modifying the password reset functionality to always return a generic confirmation message, preventing attackers from determining if a username is valid. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to discover valid usernames on your Tuleap platform without any authentication or user interaction. Knowing valid usernames can facilitate further attacks such as phishing, password guessing, or targeted social engineering. Although the confidentiality impact is low and there is no impact on integrity or availability, the exposure of valid usernames can still pose a security risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'forgot password' form on the Tuleap platform to see if it returns different responses based on whether a username exists or not. An attacker or tester can submit various usernames and observe if the system reveals account existence through distinct error messages or confirmation messages. For example, using curl commands to submit password reset requests with different usernames and comparing the responses can help detect the vulnerability. A sample command might be: curl -X POST -d 'username=someuser' https://your-tuleap-instance/forgot_password and then comparing the response content or status for existing versus non-existing usernames. If the responses differ in a way that reveals valid usernames, the system is vulnerable. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tuleap to the fixed versions: Community Edition version 16.9.99.1750843170 or later, or Enterprise Edition versions 16.8-4 or 16.9-2 or later. These versions include a fix that standardizes the password reset responses to prevent user enumeration by returning generic confirmation messages regardless of account existence. If upgrading immediately is not possible, consider implementing temporary measures to standardize error messages on the forgot password form to avoid revealing account existence, such as customizing the application to always display a generic confirmation message and suppress error messages related to invalid usernames. [1, 2, 3]