JetBrains TeamCity, DOM-based XSS, CVE-2025-52875 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works:

CVE-2025-52875 is a DOM-based Cross-Site Scripting (XSS) vulnerability in JetBrains TeamCity versions before 2025.03.3. The flaw exists in the Performance Monitor page, where improperly sanitized user-supplied input in the Metrics section allows attackers to inject malicious JavaScript. When a victim accesses the compromised page, the payload executes in their browser context, potentially leading to session hijacking, data theft, or unauthorized actions within TeamCity.

DailyCVE Form:

Platform: JetBrains TeamCity
Version: < 2025.03.3
Vulnerability: DOM-based XSS
Severity: Critical
Date: 06/25/2025

Prediction: Patch by 07/10/2025

What Undercode Say:

curl -X GET "http://teamcity-server/performance-monitor?metrics=<script>alert(1)</script>"

document.getElementById('metrics').innerHTML = unescapedUserInput;

How Exploit:

1. Craft malicious Metrics payload.

2. Trick admin into visiting Performance Monitor.

3. Execute arbitrary JavaScript.

Protection from this CVE:

1. Upgrade to TeamCity 2025.03.3+.

2. Implement CSP headers.

3. Sanitize DOM inputs.

Impact:

• Session hijacking
• Admin compromise
• Data exfiltration

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram