CVE-2025-64133

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Extensible Choice Parameter Plugin versions 239.v5f5c278708cf and earlier. The plugin fails to require POST requests for an HTTP endpoint, allowing attackers to craft malicious requests that can be triggered by unsuspecting users with the necessary permissions [1].

Exploitation

To exploit this vulnerability, an attacker must trick a Jenkins user with sufficient permissions (e.g., Job/Configure) into clicking a crafted link or visiting a malicious page. The CSRF attack can then execute sandboxed Groovy code on the Jenkins controller [1]. The sandbox restricts the Groovy code's capabilities, but it still presents a significant risk.

Impact

Successful exploitation enables the attacker to execute arbitrary sandboxed Groovy scripts. While the sandbox limits access to certain sensitive operations, attackers can still perform actions within sandbox constraints, such as reading job configurations or triggering builds, potentially leading to further compromise [1][4].

Mitigation

As of the advisory date, no fix has been released for this plugin. The plugin is listed as unresolved in the Jenkins security advisory, meaning users are advised to restrict plugin usage or apply workarounds such as disabling the plugin or using HTTP POST enforcement via reverse proxy settings [2]. The Jenkins security team recommends monitoring for updates.