CVE-2025-64482

MEDIUM

Tuleap <16.13.99.1762267347 - CSRF

Title source: llm

Description

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file release system. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1762267347, Tuleap Enterprise Edition 17.0-1, Tuleap Enterprise Edition 16.13-6, and Tuleap Enterprise Edition 16.12-9 fix the issue.

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Enalean/tuleap/security/advisories/GHSA-w7h4-9vf6-q7rc

Patch x_refsource_misc

https://github.com/Enalean/tuleap/commit/899b5c1693324211947b72f2810ae8944e1bd0d5

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=899b5c1693324211947b72f2810ae8944e1bd0d5

Various Sources x_refsource_misc

https://tuleap.net/plugins/tracker/?aid=45259

Scores

CVSS v3 4.6

EPSS 0.0002

EPSS Percentile 4.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (4)

Enalean/tuleap Tuleap Community Edition < 16.13.99.1762267347

Enalean/tuleap Tuleap Enterprise Edition < 16.12-9

Enalean/tuleap Tuleap Enterprise Edition < 16.13-6

Enalean/tuleap Tuleap Enterprise Edition < 17.0-1

Published Nov 12, 2025

Tracked Since Feb 18, 2026