5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64135

CVE-2025-64135: Jenkins Eggplant Runner Plugin protection mechanism disabled

Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration.

This disables a protection mechanism of the Java runtime addressing CVE-2016-5597.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64135

CVE-2025-64135:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:eggplant-runner	maven	<= 0.0.1.301.v963cffe8ddb

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described in GHSA-w5r3-gr8w-7fj5 states that the Jenkins Eggplant Runner Plugin disables a Java security feature by setting the jdk.http.auth.tunneling.disabledSchemes system property to an empty string when configuring a proxy. By analyzing the source code of the plugin, I was able to locate the exact location where this occurs. The setProxy method within the io.jenkins.plugins.eggplant.utils.CLIRunnerHelper class is responsible for setting up the proxy configuration. Inside this method, the line System.setProperty("jdk.http.auth.tunneling.disabledSchemes", ""); is present, which directly corresponds to the described vulnerability. This method is invoked when the plugin attempts to download the Eggplant runner CLI via a proxy. The build process is initiated by the perform method in the io.jenkins.plugins.eggplant.EggplantRunnerBuilder class, which would be the top-level function in a stack trace when the vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64135: Jenkins Eggplant Runner Plugin protection mechanism disabled

CVE-2025-64135:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.9

5.9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64135: Jenkins Eggplant Runner Plugin protection mechanism disabled

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI