Jenkins Security Advisory Patches 10 Vulnerabilities Including SAML Replay and XXE Flaws
Jenkins released a security advisory on October 29, 2025, addressing 10 vulnerabilities across multiple plugins, including high-severity SAML replay and XXE issues.
Jenkins released a security advisory on October 29, 2025, addressing 10 vulnerabilities across multiple plugins. The advisory covers a range of issues from high-severity flaws like a SAML replay attack and an XML external entity (XXE) vulnerability to medium-severity problems including missing permission checks, cross-site request forgery (CSRF), and plaintext storage of secrets.
Among the most critical is CVE-2025-64131, a high-severity replay vulnerability in the SAML Plugin (versions 4.583.vc68232f7018a and earlier). The plugin does not implement a replay cache, allowing attackers who obtain information about the SAML authentication flow between a user's browser and Jenkins to replay those requests and authenticate as that user. The fix in version 4.583.585.v22ccc1139f55 introduces a replay cache that rejects replayed requests.
Another high-severity issue is CVE-2025-64134, an XXE vulnerability in the JDepend Plugin (version 1.3.1 and earlier). The plugin includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XXE attacks. Attackers who can configure input files for the "Report JDepend" step can have Jenkins parse a crafted file that uses external entities to extract secrets from the Jenkins controller or perform server-side request forgery.
A third high-severity vulnerability, CVE-2025-64140, affects the Azure CLI Plugin (version 0.9 and earlier). The plugin does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands on the controller.
Medium-severity flaws include missing permission checks in the MCP Server Plugin (CVE-2025-64132), a CSRF vulnerability in the Extensible Choice Parameter Plugin (CVE-2025-64133), and combined CSRF and permission-check issues in the Themis Plugin (CVE-2025-64136, CVE-2025-64137) and Start Windocks Containers Plugin (CVE-2025-64138, CVE-2025-64139). Additional medium-severity issues include a Java protection mechanism disabled in the Eggplant Runner Plugin (CVE-2025-64135), CSRF and missing permission checks in the Nexus Task Runner Plugin (CVE-2025-64141, CVE-2025-64142), and plaintext storage of authorization tokens in the OpenShift Pipeline Plugin (CVE-2025-64143) and API tokens in the ByteGuard Build Actions Plugin (CVE-2025-64144, CVE-2025-64145).
Administrators are strongly advised to update all affected plugins to the latest versions as soon as possible. The advisory provides specific version numbers for each fix. Given the high severity of some vulnerabilities, particularly the SAML replay and XXE flaws, timely patching is critical to prevent unauthorized access and data exfiltration.
This advisory continues Jenkins' pattern of addressing security issues across its plugin ecosystem. Organizations using Jenkins should regularly monitor security advisories and apply updates promptly to mitigate risks.