CVE-2025-53541
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | to 16.8-5 (exc) |
| enalean | tuleap | to 16.9.99.1751892857 (exc) |
| enalean | tuleap | From 16.9 (inc) to 16.9-3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53541 is a Cross-Site Scripting (XSS) vulnerability in Tuleap, an open source software development suite. It occurs when displaying the children of a parent artifact, where user-controlled input is not properly sanitized before being rendered on a web page. This allows a malicious user with some control over artifacts to inject and execute arbitrary code in other users' browsers when they view the children list of an artifact. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with limited privileges to execute arbitrary scripts in your browser context when you view certain artifact children in Tuleap. This can lead to low integrity impact (modification of data) and low availability impact (disruption of service). The attack requires user interaction (viewing the affected page) and can be exploited remotely over the network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the artifact children display feature in Tuleap for improper sanitization of user input. Specifically, an attacker can add a child artifact to a parent artifact and set the child's real name or other fields to a malicious payload such as `<img src=a onerror=alert(1)>`. Viewing the children list on the artifact view should trigger the script execution if vulnerable. Detection involves verifying if such payloads execute in the browser context when viewing artifact children. There are no specific network commands provided, but manual testing or automated web application security scanners targeting XSS in artifact link fields can be used. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Tuleap to a fixed version: Community Edition 16.9.99.1751892857 or Enterprise Editions 16.9-3 or 16.8-5, where the vulnerability is patched. The fix sanitizes all user-controlled input before rendering it in the DOM, preventing XSS. If upgrading immediately is not possible, restrict user privileges to prevent malicious artifact modifications and avoid viewing artifact children lists from untrusted users. Applying the patch from commit c1aec8247697d63dc4af791ecd6bd70d105ded08 is recommended. [2, 3]