CVE-2025-64147 – The Jenkins Curseforge Publisher Plugin 1.0 dis... (How to Fix)

Q: What is the severity of CVE-2025-64147?

CVE-2025-64147 has a CVSS score of 4.3 (MEDIUM). The Jenkins Curseforge Publisher Plugin 1.0 displays API keys in plain text on job configuration forms instead of masking them. This allows attackers with access to Jenkins configuration pages to capture these credentials. Jenkins administrators using this plugin are affected.

📋 TL;DR

The Jenkins Curseforge Publisher Plugin 1.0 displays API keys in plain text on job configuration forms instead of masking them. This allows attackers with access to Jenkins configuration pages to capture these credentials. Jenkins administrators using this plugin are affected.

💻 Affected Systems

Products:

Jenkins Curseforge Publisher Plugin

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with the Curseforge Publisher Plugin installed and configured with API keys.

📦 What is this software?

Curseforge Publisher by Jenkins

View all CVEs affecting Curseforge Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain API keys and use them to compromise external Curseforge accounts, potentially modifying or deleting published content.

🟠

Likely Case

Internal users or attackers with Jenkins access capture API keys for unauthorized access to Curseforge services.

🟢

If Mitigated

Limited exposure if Jenkins access is properly restricted and API keys are rotated after discovery.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to Jenkins job configuration pages where API keys are displayed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562

Restart Required: No

Instructions:

1. Update Jenkins Curseforge Publisher Plugin to version 1.1 or later via Jenkins Plugin Manager. 2. No restart required. 3. Verify API keys are now masked in configuration forms.

🔧 Temporary Workarounds

Restrict Jenkins Access

all

Limit access to Jenkins configuration pages to authorized administrators only.

Rotate API Keys

all

Generate new API keys in Curseforge and update Jenkins configurations.

🧯 If You Can't Patch

Remove API keys from Jenkins configurations and use alternative authentication methods.
Implement strict access controls to prevent unauthorized users from viewing Jenkins configuration pages.

🔍 How to Verify

Check if Vulnerable:

Check if Jenkins Curseforge Publisher Plugin version is 1.0 in Jenkins Plugin Manager.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins and check Curseforge Publisher Plugin version.

Verify Fix Applied:

Verify plugin version is 1.1 or later and API keys appear masked (as asterisks) in job configuration forms.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Jenkins configuration pages, especially from unauthorized users.

Network Indicators:

Unusual API calls to Curseforge services from Jenkins server IPs at unexpected times.

SIEM Query:

source="jenkins.log" AND ("configuration" OR "job config") AND user NOT IN (authorized_admin_users)

📊 Metadata

CVE ID: CVE-2025-64147

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-311

EPSS Score: 0.02% exploit probability (4th percentile)

Published: October 29, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64147, you might also want to check these: