What is the CVSS score of CVE-2025-64497?

CVE-2025-64497 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Tuleap are affected by CVE-2025-64497?

Organizations using Tuleap should be aware of notable risk from CVE-2025-64497, a IDOR vulnerability rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-64497?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Tuleap CVE-2025-64497

EUVD-2025-201839 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2025-12-08 security-advisories@github.com

Authentication Bypass Tuleap

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:54 euvd

EUVD-2025-201839

Analysis Generated

Mar 15, 2026 - 17:54 vuln.today

Patch released

Mar 15, 2026 - 17:54 nvd

Patch available

CVE Published

Dec 08, 2025 - 23:15 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.

Analysis

Technical ContextAI

This vulnerability is classified as Authorization Bypass Through User-Controlled Key (CWE-639).

RemediationAI

A vendor patch is available. Apply it as soon as possible and verify the fix.

CVE-2025-64497 vulnerability details – vuln.today

Back

Tuleap CVE-2025-64497

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code