CVE-2025-64146 – The Jenkins Curseforge Publisher Plugin 1.0 sto... (How to Fix)

Q: What is the severity of CVE-2025-64146?

CVE-2025-64146 has a CVSS score of 4.3 (MEDIUM). The Jenkins Curseforge Publisher Plugin 1.0 stores API keys in plaintext within job configuration files, allowing users with Item/Extended Read permissions or filesystem access to view these sensitive credentials. This affects Jenkins instances using the vulnerable plugin version.

📋 TL;DR

The Jenkins Curseforge Publisher Plugin 1.0 stores API keys in plaintext within job configuration files, allowing users with Item/Extended Read permissions or filesystem access to view these sensitive credentials. This affects Jenkins instances using the vulnerable plugin version.

💻 Affected Systems

Products:

Jenkins Curseforge Publisher Plugin

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with the Curseforge Publisher Plugin installed and configured with API keys.

📦 What is this software?

Curseforge Publisher by Jenkins

View all CVEs affecting Curseforge Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to Curseforge API keys, potentially allowing them to modify or delete published content, upload malicious files, or perform unauthorized actions on the Curseforge platform.

🟠

Likely Case

Internal users with appropriate permissions inadvertently or intentionally access API keys, leading to unauthorized Curseforge API usage or credential leakage.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users who already have access to sensitive configuration data.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires existing Jenkins user permissions or filesystem access to the Jenkins controller.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562

Restart Required: No

Instructions:

1. Update Jenkins Curseforge Publisher Plugin to version 1.1 or later via Jenkins Plugin Manager. 2. No restart required. 3. Existing API keys in config.xml files remain exposed until jobs are reconfigured.

🔧 Temporary Workarounds

Restrict Jenkins permissions

all

Limit Item/Extended Read permissions to trusted users only to reduce exposure of config.xml files.

Filesystem access controls

all

Implement strict filesystem permissions on Jenkins controller to prevent unauthorized access to config.xml files.

🧯 If You Can't Patch

Remove API keys from existing job configurations and store them securely elsewhere
Audit and rotate all exposed Curseforge API keys immediately

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Curseforge Publisher Plugin version 1.0.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager and check Curseforge Publisher Plugin version.

Verify Fix Applied:

Verify plugin version is 1.1 or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Jenkins controller filesystem
Unusual Curseforge API activity from Jenkins IPs

Network Indicators:

Unusual outbound connections to Curseforge API from Jenkins server

SIEM Query:

source="jenkins" AND (event="filesystem_access" OR event="plugin_version") AND plugin="curseforge-publisher" AND version="1.0"

📊 Metadata

CVE ID: CVE-2025-64146

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-311

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: October 29, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64146, you might also want to check these: