October 30, 2025
The Jenkins project released Security Advisory 2025-10-29 on October 28, 2025, disclosing multiple vulnerabilities across 13 plugins that power the popular open-source automation server.
These flaws range from high-severity authentication bypasses to permission misconfigurations and credential exposures, potentially exposing enterprise CI/CD pipelines to unauthorized access and code execution.
While fixes are available for two critical issues in the SAML and MCP Server plugins, most others remain unresolved, urging immediate updates where possible and vigilant monitoring.
The advisory highlights a replay vulnerability in the SAML Plugin (SECURITY-3613, CVE-2025-64131), rated high severity with a CVSS score of 7.5.
Versions up to 4.583.vc68232f7018a_ lack a replay cache, enabling attackers who intercept SAML authentication flows such as through network sniffing or man-in-the-middle attacks to replay requests and impersonate users.
This could grant full access to Jenkins instances handling sensitive builds, especially in federated environments using single sign-on.
The fix in version 4.583.585.v22ccc1139f55 introduces a replay cache to block duplicates, a straightforward mitigation that administrators should prioritize.
Complementing this, the MCP Server Plugin suffers from missing permission checks (SECURITY-3622, CVE-2025-64132), a medium-severity issue (CVSS 5.4) affecting versions up to 0.84.v50ca_24ef83f2.
Attackers with basic Item/Read access can extract SCM configurations, trigger unauthorized builds, or list cloud setups without proper privileges
via tools like getJobScm, triggerBuild, and getStatus.
This escalates risks in multi-user setups, allowing lateral movement within Jenkins. Updating to 0.86.v7d3355e6a_a_18 enforces these checks, closing the gap effectively.
