CVE-2025-24398

The Jenkins Bitbucket Server Integration Plugin (versions 2.1.0 through 4.1.3 inclusive) implements a Jenkins extension point that allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. According to the Jenkins Security Advisory, this extension point was intended to support OAuth 1.0 authentication flows, but the plugin’s implementation was overly permissive, failing to restrict which URLs had CSRF protection disabled. This allows an attacker to craft a URL that would bypass CSRF protection for any target URL in Jenkins [2].

Exploitation does not require authentication or any special privileges. The attacker only needs to trick an authenticated Jenkins user into clicking a specially crafted link, or in some cases, the vulnerability can be triggered automatically if the attacker can control a resource loaded by a victim. Because the CSRF bypass applies to any URL, the attack surface is broad: any Jenkins endpoint that normally relies on CSRF tokens for protection becomes vulnerable [2].

The impact is severe: an attacker can trick a Jenkins administrator or any authenticated user into performing unintended actions, such as modifying job configurations, deleting jobs, creating new users, or executing arbitrary commands on the Jenkins controller. This effectively means that any state-changing operation normally protected by CSRF tokens can be performed without the user’s consent or knowledge [2].

Mitigation is straightforward: the plugin version 4.1.4 restricts the CSRF bypass to only the specific URLs required for OAuth 1.0 authentication. Users should upgrade to version 4.1.4 or later as soon as possible. No workarounds other than disabling the plugin are known. The vulnerability was publicly disclosed in the Jenkins Security Advisory 2025-01-22 and has a CVSS score of High [2][3].