The Jenkins undertaking launched Safety Advisory 2025-10-29 on October 28, 2025, disclosing a number of vulnerabilities throughout 13 plugins that energy the favored open-source automation server.
These flaws vary from high-severity authentication bypasses to permission misconfigurations and credential exposures, probably exposing enterprise CI/CD pipelines to unauthorized entry and code execution.
Whereas fixes can be found for 2 essential points within the SAML and MCP Server plugins, most others stay unresolved, urging fast updates the place potential and vigilant monitoring.
The advisory highlights a replay vulnerability within the SAML Plugin (SECURITY-3613, CVE-2025-64131), rated excessive severity with a CVSS rating of seven.5.
Variations as much as 4.583.vc68232f7018a_ lack a replay cache, enabling attackers who intercept SAML authentication flows akin to by means of community sniffing or man-in-the-middle assaults to replay requests and impersonate customers.
This might grant full entry to Jenkins cases dealing with delicate builds, particularly in federated environments utilizing single sign-on.
The repair in model 4.583.585.v22ccc1139f55 introduces a replay cache to dam duplicates, an easy mitigation that directors ought to prioritize.
Complementing this, the MCP Server Plugin suffers from lacking permission checks (SECURITY-3622, CVE-2025-64132), a medium-severity subject (CVSS 5.4) affecting variations as much as 0.84.v50ca_24ef83f2.
Attackers with primary Merchandise/Learn entry can extract SCM configurations, set off unauthorized builds, or checklist cloud setups with out correct privileges through instruments like getJobScm, triggerBuild, and getStatus.
This escalates dangers in multi-user setups, permitting lateral motion inside Jenkins. Updating to 0.86.v7d3355e6a_a_18 enforces these checks, closing the hole successfully.
Widespread CSRF, XXE, and Credential Exposures
Past these, the advisory uncovers a cluster of medium- to high-severity flaws in different plugins, together with CSRF vulnerabilities and improper credential dealing with.
As an illustration, the Extensible Selection Parameter Plugin (SECURITY-3583, CVE-2025-64133) exposes a CSRF endpoint (CVSS 4.3) that lets unauthenticated customers execute sandboxed Groovy code through tricked interactions, with no repair but accessible.
Equally, the JDepend Plugin’s outdated XML parser (SECURITY-2936, CVE-2025-64134, CVSS 7.1) permits XXE assaults for secret extraction or SSRF when processing crafted stories.
Credential storage points plague a number of plugins: OpenShift Pipeline (CVE-2025-64143), ByteGuard Construct Actions (CVE-2025-64144), and Curseforge Writer (CVE-2025-64146) all save tokens or API keys in plain textual content inside job config.xml information, viewable by customers with Prolonged Learn entry (CVSS 4.3 every).
The azure-cli Plugin goes additional with shell command injection (SECURITY-3538, CVE-2025-64140, CVSS 8.8), permitting arbitrary controller execution for these with Merchandise/Configure rights no repair in sight.
Plugins like Themis, Begin Windocks Containers, Nexus Process Runner, and Publish to Bitbucket additionally function CSRF and lacking checks that would leak credentials or connect with malicious URLs (CVSS 4.3–5.4).
The Eggplant Runner Plugin disables a Java HTTP auth safety (SECURITY-3326, CVE-2025-64135, CVSS 5.9), reintroducing dangers from CVE-2016-5597.
Mitigations
These vulnerabilities underscore Jenkins’ expansive plugin ecosystem’s double-edged sword: versatility at the price of safety if not maintained.
With over 1,800 plugins, unpatched cases in company networks may face exploitation chains, from auth bypass to RCE, amplifying provide chain threats in software program growth.
No exploits within the wild are reported but, however the advisory’s timing aligns with rising CI/CD assaults.
CVE IDPluginSeverity (CVSS v3.1)Affected VersionsDescription SummaryFixed?CVE-2025-64131SAMLHigh (7.5)≤4.583.vc68232f7018a_Replay assault in auth flowYes (4.583.585.v22ccc1139f55)CVE-2025-64132MCP ServerMedium (5.4)≤0.84.v50ca_24ef83f2Missing permission checks for toolsYes (0.86.v7d3355e6a_a_18)CVE-2025-64133Extensible ChoiceMedium (4.3)≤239.v5f5c278708cfCSRF enabling Groovy executionNoCVE-2025-64134JDependHigh (7.1)≤1.3.1XXE through outdated XML parserNoCVE-2025-64135Eggplant RunnerMedium (5.9)≤0.0.1.301.v963cffe8ddb_8Disables Java auth protectionNoCVE-2025-64136/64137ThemisMedium (4.3)≤1.4.1CSRF & lacking verify for URL connectNoCVE-2025-64138/64139Windocks ContainersMedium (4.3)≤1.4CSRF & lacking verify for URL connectNoCVE-2025-64140azure-cliHigh (8.8)≤0.9Arbitrary shell command injectionNoCVE-2025-64141/64142Nexus Process RunnerMedium (4.3)≤0.9.2CSRF & lacking verify for URL/cred connectNoCVE-2025-64143OpenShift PipelineMedium (4.3)≤1.0.57Plain textual content token storageNoCVE-2025-64144/64145ByteGuard Construct ActionsMedium (4.3)≤1.0Plain textual content API token storage & maskingNoCVE-2025-64146/64147Curseforge PublisherMedium (4.3)≤1.0Plain textual content API key storage & maskingNoCVE-2025-64148Publish to BitbucketMedium (4.3)≤0.4Enumerates credential IDsNoCVE-2025-64149/64150Publish to BitbucketMedium (5.4)≤0.4CSRF & lacking verify for URL/cred captureNo
Organizations ought to audit plugins, apply SAML and MCP fixes instantly, disable unused ones, and allow CSRF protections. The Jenkins staff credit reporters for proactive disclosure, emphasizing neighborhood vigilance on this foundational instrument.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
