CVE-2025-54536 Overview
CVE-2025-54536 is a Cross-Site Request Forgery (CSRF) vulnerability affecting JetBrains TeamCity versions prior to 2025.07. The flaw exists in the GraphQL endpoint and allows attackers to trigger authenticated state-changing operations when a logged-in user visits an attacker-controlled page. The issue is tracked under CWE-352 and was disclosed by JetBrains through their security advisory portal.
Critical Impact
Successful exploitation allows an attacker to perform privileged actions in TeamCity on behalf of an authenticated user, potentially compromising CI/CD pipelines, build artifacts, and source code integrity.
Affected Products
- JetBrains TeamCity versions before 2025.07
- TeamCity GraphQL endpoint
- Self-hosted TeamCity build server deployments
Discovery Timeline
- 2025-07-28 - CVE-2025-54536 published to NVD
- 2025-07-31 - Last updated in NVD database
Technical Details for CVE-2025-54536
Vulnerability Analysis
The vulnerability resides in the GraphQL endpoint exposed by JetBrains TeamCity. The endpoint accepted authenticated requests without sufficient anti-CSRF protections. An attacker who lures an authenticated TeamCity user to a malicious page can submit forged GraphQL mutations that execute under the victim's session.
TeamCity is a continuous integration server frequently deployed with elevated permissions over build configurations, agents, and integrated source control systems. CSRF abuse against its GraphQL API can lead to configuration tampering, credential exposure through build modifications, or unauthorized administrative actions when targeting privileged users.
The scope reaches confidentiality, integrity, and availability of the build system. User interaction is required because exploitation relies on a victim visiting an attacker-controlled resource while authenticated to TeamCity.
Root Cause
The root cause is missing or inadequate CSRF token validation on the GraphQL endpoint. State-changing GraphQL mutations did not enforce origin or token verification consistent with the protections applied to other TeamCity endpoints. This allowed cross-origin requests carrying the victim's session cookies to be accepted as legitimate.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a crafted page containing JavaScript or an auto-submitting form that issues a GraphQL request to the target TeamCity server. When an authenticated administrator or developer browses to that page, the browser attaches session credentials and the request executes server-side.
No verified public proof-of-concept code is available for CVE-2025-54536. Refer to the JetBrains Issues Fixed Overview for vendor details.
Detection Methods for CVE-2025-54536
Indicators of Compromise
- Unexpected GraphQL mutation requests in TeamCity access logs containing external Origin or Referer headers
- Unauthorized changes to build configurations, user roles, or VCS root credentials without corresponding administrator action
- New administrative users, tokens, or SSH keys created outside of normal change windows
Detection Strategies
- Review TeamCity HTTP access logs for POST requests to /app/graphql originating from unexpected referrers or external domains
- Correlate GraphQL mutation events with authenticated user sessions to identify requests not initiated from the TeamCity UI
- Audit TeamCity action history for configuration changes that do not match user-reported activity
Monitoring Recommendations
- Forward TeamCity web server and audit logs to a centralized SIEM for retention and correlation
- Alert on creation or modification of administrative roles, API tokens, and VCS credentials
- Monitor outbound network traffic from build agents for signs of credential exfiltration following suspicious mutations
How to Mitigate CVE-2025-54536
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2025.07 or later, which contains the vendor fix for this CSRF issue
- Rotate TeamCity user tokens, VCS credentials, and any secrets that may have been exposed through tampered builds
- Require administrators to log out and re-authenticate after applying the patch to invalidate active sessions
Patch Information
JetBrains addressed the vulnerability in TeamCity 2025.07. Patch details and the broader list of fixed issues are documented in the JetBrains Issues Fixed Overview. Self-hosted deployments should be updated promptly, and TeamCity Cloud tenants are maintained by JetBrains.
Workarounds
- Restrict TeamCity network exposure to trusted internal networks or VPN access until the upgrade is complete
- Instruct administrators to use a dedicated browser profile for TeamCity to limit cross-site request risk
- Enforce strict SameSite=Strict cookie behavior at any reverse proxy in front of TeamCity where supported
# Example: verify the installed TeamCity version
curl -sk https://teamcity.example.com/app/rest/server | grep -oE 'version="[^"]+"'
# Restrict access at the reverse proxy until patched (nginx example)
location /app/graphql {
allow 10.0.0.0/8;
deny all;
proxy_pass http://teamcity_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
