Jenkins automation server users face critical security threats following the disclosure of 14 distinct vulnerabilities spanning multiple plugins.
The security advisory reveals a widespread pattern of authentication bypass mechanisms, missing permission enforcement, and credential exposure issues that collectively put enterprise CI/CD infrastructure at serious risk.
SAML Authentication Bypass Threatens User Sessions
The most critical flaw emerges from the SAML plugin vulnerability, tracked as CVE-2025-64131 with a high CVSS score of 8.4.
The plugin failed to implement a replay cache in versions 4.583.vc68232f7018a and earlier, allowing attackers to intercept and replay SAML authentication requests between a user’s web browser and Jenkins.
| CVE ID | Severity | CVSS Score | Vulnerability Type |
| CVE-2025-64131 | High | 8.4 | Replay Attack |
| CVE-2025-64132 | Medium | 6.5 | Missing Permission Checks |
| CVE-2025-64133 | Medium | 5.4 | CSRF |
| CVE-2025-64134 | High | 7.1 | XXE Injection |
| CVE-2025-64135 | Medium | 5.9 | Disabled Security Feature |
| CVE-2025-64136 | Medium | 4.3 | CSRF |
| CVE-2025-64137 | Medium | 4.3 | Missing Permission Check |
| CVE-2025-64138 | Medium | 5.4 | CSRF |
| CVE-2025-64139 | Medium | 5.4 | Missing Permission Check |
| CVE-2025-64140 | High | 8.8 | Shell Command Injection |
| CVE-2025-64141 | Medium | 5.4 | CSRF |
| CVE-2025-64142 | Medium | 5.4 | Missing Permission Check |
| CVE-2025-64143 | Medium | 5.7 | Plaintext Token Storage |
| CVE-2025-64144 | Medium | 5.7 | Plaintext Token Storage |
| CVE-2025-64145 | Medium | 5.7 | Credential Masking Issue |
| CVE-2025-64146 | Medium | 5.7 | Plaintext API Key Storage |
| CVE-2025-64147 | Medium | 5.7 | API Key Masking Issue |
| CVE-2025-64148 | Medium | 5.7 | Credential Enumeration |
| CVE-2025-64149 | Medium | 6.5 | CSRF |
| CVE-2025-64150 | Medium | 6.5 | Missing Permission Check |
This authentication bypass gives attackers complete access to user accounts without needing valid credentials or authentication details.
The attack requires attackers to obtain information about the SAML authentication flow, but once captured, replayed requests authenticate them as legitimate users.
Jenkins addressed this critical gap by implementing proper replay cache protection in version 4.583.585.v22ccc1139f55, making immediate updates essential for affected deployments.
The MCP Server plugin carries multiple authorization failures in version 0.84.v50ca_24ef83f2 and earlier, rated as medium severity through CVE-2025-64132.
The plugin fails to perform adequate permission checks across several tools, creating pathways for privilege escalation.
Attackers with basic Item/Read permissions can obtain sensitive information about configured source control systems despite lacking Item/Extended Read privileges.
More alarmingly, the same low-level access allows attackers to trigger new builds of protected jobs without Item/Build permissions.
Additional authentication gaps permit unauthenticated users lacking Overall/Read permissions to retrieve names of configured clouds.
Version 0.86.v7d3355e6a_a_18 addresses these authorization oversights through comprehensive permission validation.
Azure CLI Plugin CVE-2025-64140 represents another high-severity vulnerability with a CVSS score of 8.8.
The plugin fails to restrict shell command execution on the Jenkins controller, allowing attackers with Item/Configure permissions to execute arbitrary system commands.
JDepend Plugin vulnerability CVE-2025-64134 introduces XML external entity (XXE) injection through outdated dependencies, potentially exposing secrets or enabling server-side request forgery attacks.
Additional weaknesses include CSRF vulnerabilities across multiple plugins (Extensible Choice Parameter, Themis, and Windocks Container Manager), plaintext storage of authentication tokens and API keys in configuration files, and credential enumeration through missing permission checks. S
everal plugins store sensitive credentials unencrypted in config.xml files, viewable by users with Item/Extended Read permissions or file system access.
Organizations running affected Jenkins deployments should prioritize patching the high-severity vulnerabilities first, particularly SAML plugin replay attacks and Azure CLI command injection flaws.
Many plugins have received fixes, though several advisories note unresolved vulnerabilities without available patches at publication time.
Enterprise teams should review their plugin inventory against the affected versions list and apply available security updates immediately.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
