CVE-2025-64147

Vulnerability

Description

The Jenkins Curseforge Publisher Plugin version 1.0 fails to mask API Keys displayed on the job configuration form [1][3]. This means that the API Key field is shown in plain text rather than being obfuscated (e.g., with asterisks), which is a standard security practice for sensitive credentials in Jenkins forms.

Exploitation

An attacker who has at least Job/Configure permission (or any permission that allows viewing the job configuration page) can directly observe the API Key in plain text [1][2]. No special network position or additional authentication bypass is required; the vulnerability is present in the user interface itself.

Impact

Successful exploitation allows an attacker to capture the plaintext API Key. With this key, the attacker could potentially authenticate to the Curseforge service as the plugin's configured user, leading to unauthorized actions such as publishing or modifying project artifacts on Curseforge [1][3].

Mitigation

As of the advisory date (2025-10-29), no fixed version of the Curseforge Publisher Plugin has been released [1][2]. The plugin is listed among those with unresolved security issues. Users should consider removing or disabling the plugin if it is not essential, or restrict access to job configuration pages to trusted administrators only.