CVE-2025-64136

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Themis Plugin versions 1.4.1 and earlier. The plugin fails to require POST requests for an HTTP endpoint, allowing attackers to craft malicious requests that, when executed by an authenticated Jenkins user, can connect to an attacker-specified HTTP server [1][2].

Exploitation

To exploit this vulnerability, an attacker must trick a Jenkins user with appropriate user (e.g., a user with access to the plugin's configuration) into clicking a crafted link or visiting a malicious page. The attack does not require POST request check is missing, so a simple GET request can trigger the action. No additional authentication is needed beyond the victim's existing session [1][2].\.

Impact

Successful exploitation enables an attacker to make the Jenkins server connect to an attacker-controlled HTTP server. This could be used for reconnaissance, data exfiltration, or as a stepping stone for further attacks within the network [1][2].

Mitigation

As of the advisory date (2025-10-29), no fix has been released for the Themis Plugin. Users are advised to restrict access to Jenkins, monitor for suspicious activity, and consider disabling the plugin if not required [1][2].