CVE-2025-64149 – A CSRF vulnerability in Jenkins Publish to Bitb... (How to Fix)

Q: What is the severity of CVE-2025-64149?

CVE-2025-64149 has a CVSS score of 5.4 (MEDIUM). A CSRF vulnerability in Jenkins Publish to Bitbucket Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controlled Bitbucket servers using stolen credentials. This could expose sensitive credentials stored in Jenkins. Only Jenkins instances with this specific plugin installed are affected.

📋 TL;DR

A CSRF vulnerability in Jenkins Publish to Bitbucket Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controlled Bitbucket servers using stolen credentials. This could expose sensitive credentials stored in Jenkins. Only Jenkins instances with this specific plugin installed are affected.

💻 Affected Systems

Products:

Jenkins Publish to Bitbucket Plugin

Versions: 0.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with the vulnerable plugin installed and configured to use Bitbucket credentials.

📦 What is this software?

Publish To Bitbucket by Jenkins

View all CVEs affecting Publish To Bitbucket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture all credentials stored in Jenkins, potentially gaining access to source code repositories, deployment systems, and other connected services.

🟠

Likely Case

Attackers capture specific credentials used for Bitbucket access, potentially compromising source code or deployment pipelines.

🟢

If Mitigated

With proper CSRF protections and credential access controls, impact is limited to potential unauthorized Bitbucket connections.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to obtain valid credentials IDs through other means and trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3576

Restart Required: No

Instructions:

1. Open Jenkins web interface. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab. 4. Search for 'Publish to Bitbucket Plugin'. 5. Check for update to version 0.5 or later. 6. Install update.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'Publish to Bitbucket Plugin', click 'Disable'

🧯 If You Can't Patch

Implement strict CSRF protection headers and SameSite cookie attributes
Restrict user permissions to only necessary plugin functions and credential access

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for 'Publish to Bitbucket Plugin' version

Check Version:

No CLI command; check via Jenkins web interface as described

Verify Fix Applied:

Verify plugin version is 0.5 or higher in Manage Jenkins > Manage Plugins > Installed tab

📡 Detection & Monitoring

Log Indicators:

Unexpected Bitbucket server connection attempts
Failed authentication attempts to new Bitbucket URLs

Network Indicators:

Outbound connections to unfamiliar Bitbucket server addresses

SIEM Query:

source="jenkins.log" AND ("Bitbucket" AND "connection" AND "failed" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-64149

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-352

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: October 29, 2025

Last Updated: November 4, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3576 Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/10/29/2

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64149, you might also want to check these: