CVE-2025-64146
Description
Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Curseforge Publisher Plugin 1.0 stores API keys unencrypted in job config.xml files, exposing them to users with Item/Extended Read permission or file system access.
Vulnerability
Description The Jenkins Curseforge Publisher Plugin versions 1.0 stores API keys in plaintext within job configuration files (config.xml) on the Jenkins controller. This lack of encryption means the sensitive credentials are persisted without any protection, violating best practices for secret storage in Jenkins plugins [1][3].
Attack
Surface Exploitation requires an attacker to have either the Item/Extended Read permission on a job or direct access to the Jenkins controller's file system. No other privileges are needed to retrieve the stored API keys from the configuration files [1][3].
Impact
An attacker who obtains the API keys can use them to authenticate to the Curseforge service on behalf of the plugin user, potentially gaining unauthorized access to Curseforge projects, modifying content, or exfiltrating data [1][2].
Mitigation
As of the advisory date, no fix has been released for this vulnerability; it is listed as an unresolved security issue in the plugin [2]. Users should apply strict access controls on the Jenkins controller and restrict Item/Extended Read permissions to trusted users only, as a workaround until a plugin update becomes available [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:curseforge-publisherMaven | <= 1.0 | — |
Affected products
2- Jenkins Project/Jenkins Curseforge Publisher Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-23vj-j6jc-w892ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64146ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025