Critical Jenkins Vulnerabilities Expose CI/CD Pipelines to Security Risks
On October 28, 2025, the Jenkins project issued Security Advisory 2025-10-29, revealing multiple vulnerabilities across 13 plugins integral to the Jenkins automation server. These security flaws, ranging from high-severity authentication bypasses to permission misconfigurations and credential exposures, pose significant risks to enterprise Continuous Integration and Continuous Deployment (CI/CD) pipelines. While fixes are available for some critical issues, many vulnerabilities remain unpatched, necessitating immediate attention from administrators.
SAML Plugin Replay Vulnerability
A notable high-severity vulnerability (SECURITY-3613, CVE-2025-64131) affects the SAML Plugin versions up to 4.583.vc68232f7018a. This flaw arises from the absence of a replay cache, allowing attackers who intercept SAML authentication flows—through methods like network sniffing or man-in-the-middle attacks—to replay requests and impersonate users. Such exploitation could grant unauthorized access to Jenkins instances managing sensitive builds, especially in environments utilizing single sign-on. The issue has been addressed in version 4.583.585.v22ccc1139f55, which introduces a replay cache to prevent duplicate requests.
MCP Server Plugin Permission Misconfiguration
The MCP Server Plugin is affected by missing permission checks (SECURITY-3622, CVE-2025-64132), a medium-severity issue impacting versions up to 0.84.v50ca24ef83f2. Attackers with basic Item/Read access can exploit this flaw to extract Source Code Management (SCM) configurations, trigger unauthorized builds, or list cloud setups without proper privileges. This vulnerability increases the risk of lateral movement within Jenkins environments. Updating to version 0.86.v7d3355e6a18 enforces the necessary permission checks, effectively mitigating the risk.
Cross-Site Request Forgery (CSRF) and XML External Entity (XXE) Vulnerabilities
Several plugins are susceptible to CSRF and XXE vulnerabilities:
– Extensible Choice Parameter Plugin: This plugin exposes a CSRF endpoint (SECURITY-3583, CVE-2025-64133) that allows unauthenticated users to execute sandboxed Groovy code via manipulated interactions. No fix is currently available.
– JDepend Plugin: Utilizing an outdated XML parser, this plugin is vulnerable to XXE attacks (SECURITY-2936, CVE-2025-64134), enabling attackers to extract secrets or perform Server-Side Request Forgery (SSRF) when processing crafted reports.
Credential Exposure Issues
Multiple plugins improperly store credentials, exposing sensitive information:
– OpenShift Pipeline Plugin: Stores tokens in plain text within job config.xml files, accessible by users with Extended Read access (CVE-2025-64143).
– ByteGuard Build Actions Plugin: Similarly stores API keys in plain text, posing a risk of unauthorized access (CVE-2025-64144).
– Curseforge Publisher Plugin: Exposes credentials due to improper storage practices (CVE-2025-64146).
Each of these vulnerabilities has a CVSS score of 4.3, indicating medium severity. Administrators are advised to review and update these plugins as fixes become available.
Shell Command Injection in Azure-CLI Plugin
The azure-cli Plugin contains a high-severity shell command injection vulnerability (SECURITY-3538, CVE-2025-64140) with a CVSS score of 8.8. Attackers with Item/Configure rights can exploit this flaw to execute arbitrary commands on the Jenkins controller. No fix is currently available, necessitating heightened vigilance and potential temporary disabling of the plugin.
Additional Vulnerabilities in Other Plugins
Other plugins, including Themis, Start Windocks Containers, Nexus Task Runner, and Publish to Bitbucket, exhibit CSRF vulnerabilities and missing permission checks that could lead to credential leaks or connections to malicious URLs. The Eggplant Runner Plugin disables a Java HTTP authentication protection, reintroducing risks from previous vulnerabilities (SECURITY-3326, CVE-2025-64135, CVSS 5.9).
Mitigation Strategies
The extensive plugin ecosystem of Jenkins offers versatility but also introduces security challenges if not properly maintained. Unpatched instances within corporate networks are susceptible to exploitation chains, from authentication bypasses to remote code execution, amplifying supply chain threats in software development. While no exploits have been reported in the wild, the timing of this advisory coincides with an increase in attacks targeting CI/CD environments.
Recommendations for Administrators
1. Immediate Updates: Prioritize updating the SAML Plugin to version 4.583.585.v22ccc1139f55 and the MCP Server Plugin to version 0.86.v7d3355e6a18 to mitigate the most critical vulnerabilities.
2. Review and Monitor: Assess the use of affected plugins within your Jenkins environment. For plugins without available fixes, consider disabling them temporarily and monitor for updates from the Jenkins project.
3. Enhance Security Practices: Implement robust access controls, regularly audit plugin configurations, and educate users on the risks associated with plugin vulnerabilities.
4. Stay Informed: Regularly consult Jenkins security advisories and related cybersecurity resources to stay updated on new vulnerabilities and recommended actions.
By proactively addressing these vulnerabilities and adhering to best security practices, organizations can safeguard their CI/CD pipelines against potential threats and maintain the integrity of their software development processes.
