CVE-2025-54528: 
JetBrains TeamCity vulnerability analysis and mitigation

In JetBrains TeamCity before version 2025.07, a Cross-Site Request Forgery (CSRF) vulnerability was discovered in the GitHub App connection flow. The vulnerability was disclosed on July 28, 2025, and was assigned identifier CVE-2025-54528. This security issue affects JetBrains TeamCity installations that have not been updated to version 2025.07 (JetBrains Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with potential high impacts on confidentiality, integrity, and availability (NVD).

The CSRF vulnerability could potentially allow attackers to perform unauthorized actions in the context of an authenticated user's session. Given the high CVSS ratings for confidentiality, integrity, and availability, successful exploitation could lead to significant compromise of the affected TeamCity instance's security (NVD).

The primary mitigation is to upgrade TeamCity to version 2025.07 or later, which contains the fix for this vulnerability (JetBrains Advisory).