8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24398

GHSA ID

GHSA-qjw6-xvrm-5f2h

EPSS Score

0.3965%

CWE

CWE-352

Published

1/22/2025

Updated

1/22/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24398

CVE-2025-24398: Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.

In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-24398

GHSA ID

GHSA-qjw6-xvrm-5f2h

EPSS Score

0.3965%

CWE

CWE-352

Published

1/22/2025

Updated

1/22/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:atlassian-bitbucket-server-integration	maven	>= 2.1.0, < 4.1.4	4.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the plugin's implementation of Jenkins' CrumbExclusion extension point for OAuth 1.0 authentication. The advisory indicates the exclusion logic was too broad in vulnerable versions (2.1.0-4.1.3). The standard Jenkins CSRF protection mechanism uses CrumbExclusion implementations to whitelist specific URLs. The vulnerable function likely used insufficiently restrictive pattern matching in its exclude() method, potentially matching any URL containing a crafted pattern rather than strictly limiting to required OAuth endpoints. The patch in 4.1.4 would have tightened the URL validation logic in this exclusion handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xt*nsion point in J*nkins *llows s*l**tiv*ly *is**lin* *ross-sit* r*qu*st *or**ry (*SR*) prot**tion *or sp**i*i* URLs. *it*u*k*t S*rv*r Int**r*tion Plu*in impl*m*nts t*is *xt*nsion point to support O*ut* *.* *ut**nti**tion. In *it*u*k*t S*rv*r I

Reasoning

T** vuln*r**ility st*ms *rom t** plu*in's impl*m*nt*tion o* J*nkins' *rum**x*lusion *xt*nsion point *or O*ut* *.* *ut**nti**tion. T** **visory in*i**t*s t** *x*lusion lo*i* w*s too *ro** in vuln*r**l* v*rsions (*.*.*-*.*.*). T** st*n**r* J*nkins *SR*

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-24398: Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI