CVE-2025-64134
Description
Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins JDepend Plugin 1.3.1 and earlier uses an outdated JDepend Maven Plugin that does not disable XML external entity processing, enabling XXE attacks.
Vulnerability
Description The Jenkins JDepend Plugin, versions 1.3.1 and earlier, bundles an outdated version of the JDepend Maven Plugin that fails to configure its XML parser to prevent XML External Entity (XXE) attacks [1]. This oversight allows an attacker to inject malicious XML content during the plugin's processing, leading to potential information disclosure or server-side request forgery [2].
Attack
Vector and Prerequisites Exploitation requires the ability to supply or manipulate XML input that is processed by the plugin, such as through a Jenkins job configuration or build artifact. No special privileges are needed beyond the ability to trigger builds that use the JDepend post-build action [1]. The attack can be performed remotely via crafted XML files.
Impact
A successful XXE attack can allow an attacker to read arbitrary files on the Jenkins controller file system, perform network reconnaissance, or initiate requests to internal systems from the Jenkins server [3]. This could lead to exposure of sensitive data or further compromise within the network.
Mitigation
Status As of the advisory publication date (2025-10-29), there is no patch available for the JDepend Plugin [1]. Users are advised to remove or disable the plugin if possible, or to restrict access to Jenkins job configuration to trusted users [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jdependMaven | <= 1.3.1 | — |
Affected products
2- Range: <=1.3.1
- Jenkins Project/Jenkins JDepend Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jfg6-4gx3-3v7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64134ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025