CVE-2025-64135
Description
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value, disabling a protection mechanism of the Java runtime.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier disables Java's built-in protection against HTTP tunneling authentication, enabling potential credential exposure.
Vulnerability
Overview
Jenkins Eggplant Runner Plugin versions 0.0.1.301.v963cffe8ddb_8 and earlier set the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value [1][4]. This action disables a built-in protection mechanism in the Java runtime that normally prevents certain authentication schemes from being used during HTTP tunneling [4].
Exploitation and
Attack Surface
The vulnerability is introduced at plugin startup, affecting any Jenkins instance using the affected plugin version. No additional authentication or network position is required beyond the ability to interact with the Jenkins controller. An attacker could potentially exploit this weakened setting to perform HTTP tunneling attacks that would otherwise be blocked by the Java runtime's default security configuration [1][3].
Impact
By disabling this configuration change could allow an attacker to bypass authentication protections during HTTP tunneling, potentially leading to credential exposure or unauthorized access to internal resources. The exact impact depends on the network environment and the presence of other security controls [1][3].
Mitigation
Status
As of the Jenkins Security Advisory 2025-10-29, no fix has been released for the Eggplant Runner Plugin [1][3]. Users are advised to either disable the plugin or apply network-level protections to mitigate the risk until a patched version becomes available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:eggplant-runnerMaven | <= 0.0.1.301.v963cffe8ddb | — |
Affected products
2- Range: <=0.0.1.301.v963cffe8ddb_8
- Jenkins Project/Jenkins Eggplant Runner Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w5r3-gr8w-7fj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64135ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025