CVE-2025-64134 – Jenkins JDepend Plugin 1.3.1 and earlier contai... (How to Fix)

Q: What is the severity of CVE-2025-64134?

CVE-2025-64134 has a CVSS score of 7.1 (HIGH). Jenkins JDepend Plugin 1.3.1 and earlier contains an XML external entity (XXE) vulnerability due to an outdated JDepend Maven Plugin dependency. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery. All Jenkins instances using the vulnerable plugin versions are affected.

📋 TL;DR

Jenkins JDepend Plugin 1.3.1 and earlier contains an XML external entity (XXE) vulnerability due to an outdated JDepend Maven Plugin dependency. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery. All Jenkins instances using the vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Jenkins JDepend Plugin

Versions: 1.3.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the JDepend Plugin to be installed and enabled in Jenkins.

📦 What is this software?

Jdepend by Jenkins

View all CVEs affecting Jdepend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller file system, including reading sensitive credentials, configuration files, and potentially executing arbitrary code through SSRF chaining.

🟠

Likely Case

Unauthorized reading of sensitive files from Jenkins controller, potentially exposing credentials, source code, or configuration data.

🟢

If Mitigated

Limited impact if proper network segmentation and file system permissions restrict access to sensitive files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Jenkins with permission to configure or trigger builds using the JDepend Plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936

Restart Required: Yes

Instructions:

1. Update Jenkins JDepend Plugin to version 1.3.2 or later via Jenkins Plugin Manager
2. Restart Jenkins instance
3. Verify plugin version in Manage Jenkins > Manage Plugins

🔧 Temporary Workarounds

Disable JDepend Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Manage Jenkins > Manage Plugins > Installed
Find JDepend Plugin and click Disable

Remove JDepend Plugin

all

Completely remove the vulnerable plugin

Navigate to Manage Jenkins > Manage Plugins > Installed
Find JDepend Plugin and click Uninstall

🧯 If You Can't Patch

Restrict Jenkins user permissions to only necessary build configurations
Implement network segmentation to isolate Jenkins controller from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin version: Navigate to Manage Jenkins > Manage Plugins > Installed, find JDepend Plugin and verify version is 1.3.1 or earlier

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"jdepend","version":"[^"]*"'

Verify Fix Applied:

Verify JDepend Plugin version is 1.3.2 or later in Manage Jenkins > Manage Plugins > Installed

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Jenkins logs
XML parsing errors related to external entities
Failed attempts to access restricted files

Network Indicators:

Outbound HTTP requests from Jenkins to internal systems not typically accessed

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "file://" OR "http://localhost")

📊 Metadata

CVE ID: CVE-2025-64134

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-611

EPSS Score: 0.05% exploit probability (14.5th percentile)

Published: October 29, 2025

Last Updated: November 5, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/29/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64134, you might also want to check these: