Jenkins Faces Wave of Plugin Flaws, Including SAML Authentication Bypass (CVE-2025-64131)

The Jenkins project has issued a major security advisory addressing a wave of vulnerabilities, including high-severity flaws that threaten the integrity and confidentiality of automation servers worldwide. The advisory highlights 14 security fixes across various plugins, with several crucial vulnerabilities remaining unpatched as of the publication date.

The top priority issue is a High-severity vulnerability in the popular SAML Plugin (CVE-2025-64131). This flaw exposes Jenkins servers using SAML for single sign-on to session hijacking.

This vulnerability impacts Jenkins instances configured to use SAML single sign-on (SSO), a common setup in enterprise environments for integrating identity providers such as Okta, Azure AD, and Google Workspace.

Because earlier SAML Plugin versions did not maintain a replay cache, a threat actor able to intercept or observe the authentication request (e.g., via network traffic, misconfigured proxies, or logs) could reuse the request token to impersonate the legitimate user — even administrative accounts.

This class of flaw is particularly dangerous in continuous integration environments, where Jenkins credentials often have downstream access to source code repositories, container registries, and cloud infrastructure.

The October 2025 advisory also includes medium-severity vulnerabilities across several widely used plugins:

• CVE-2025-64132 – Missing permission checks in MCP Server Plugin: Attackers with Item/Read permission can trigger new builds or obtain SCM information despite lacking higher-level permissions.
• CVE-2025-64133 – CSRF in Extensible Choice Parameter Plugin: The plugin does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery vulnerability that allows attackers to execute sandboxed Groovy code.
• CVE-2025-64134 – XXE in JDepend Plugin: The plugin includes an outdated XML parser vulnerable to XXE injection, allowing attackers to extract secrets from the Jenkins controller or perform server-side request forgery.
• CVE-2025-64140 – Command Injection in Azure CLI Plugin: Attackers with Item/Configure permission can execute arbitrary shell commands on the Jenkins controller.
• CVE-2025-64143 to CVE-2025-64147 – Secrets Stored in Plain Text: Several plugins, including OpenShift Pipeline, ByteGuard Build Actions, and Curseforge Publisher, were found to store API tokens and credentials unencrypted in job configuration files. The advisory warns that “these tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.”
• CVE-2025-64148, CVE-2025-64149 and CVE-2025-64150 – Missing Permission Checks in Publish to Bitbucket Plugin: This plugin allowed attackers with Overall/Read permission to enumerate credential IDs and connect to attacker-specified URLs using those credentials.

Admins are urged to prioritize the immediate mitigation of these flaws to prevent session hijacking, system compromise, and secret exposure.

Related Posts:

• Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended
• Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
• Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
• RansomEXX Group Exploits Jenkins Vulnerability (CVE-2024-23897) in Major Indian Banking Attack
• Jenkins Users Beware: Multiple Security Vulnerabilities Discovered