Miggo Logo
Miggo Vulnerability Database
CVE-2025-64136

CVE-2025-64136: Jenkins Themis Plugin vulnerable to cross-site request forgery

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64136
GHSA ID
GHSA-93mh-mx9w-m69q
EPSS Score
-
CWE
CWE-352
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:themismaven<= 1.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description for CVE-2025-64136 in the Jenkins Themis Plugin states that an HTTP endpoint lacks permission checks and CSRF protection, allowing attackers to make the Jenkins server connect to an arbitrary URL. Since no patch is available, the analysis focused on identifying a method in the plugin's source code that matches this description.

By inspecting the plugin's source code, I identified the doTestConnection method within the com.promyze.themis.jenkins.ThemisGlobalConfiguration$ThemisInstance$ThemisInstanceDescriptor class. In Jenkins, do... methods within Descriptor classes are automatically exposed as HTTP GET endpoints for form validation.

The doTestConnection method takes a url as a query parameter and makes an HTTP GET request to it. The method lacks @RequirePOST annotation or any other CSRF protection, making it vulnerable to CSRF. It also does not perform any permission checks, allowing any user with basic read access to trigger it. This perfectly matches the vulnerability description. An attacker can trick a logged-in Jenkins user into clicking a crafted link, which will cause the Jenkins server to issue a request to a URL of the attacker's choice, leading to a Server-Side Request Forgery (SSRF) vulnerability.

Vulnerable functions

com.promyze.themis.jenkins.ThemisGlobalConfiguration$ThemisInstance$ThemisInstanceDescriptor.doTestConnection
src/main/java/com/promyze/themis/jenkins/ThemisGlobalConfiguration.java
The `doTestConnection` method in the `ThemisInstanceDescriptor` class is an HTTP endpoint used for form validation. This endpoint is vulnerable to Cross-Site Request Forgery (CSRF) because it does not require POST requests and lacks any CSRF protection mechanism (like a CRUMB). Additionally, it does not perform any permission checks, allowing any user with Overall/Read access to trigger it. An attacker can craft a malicious URL that, when clicked by a victim, causes the Jenkins server to send an HTTP GET request to an arbitrary URL specified by the attacker. This can be abused for Server-Side Request Forgery (SSRF) attacks, allowing the attacker to probe the internal network, interact with internal services, or cause the Jenkins server to perform unintended actions.

WAF Protection Rules

WAF Rule

J*nkins T**mis Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in *n *TTP *n*point. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL. ***ition*lly, t*is *n*point *o*s not r*quir* POST r*qu*sts,

Reasoning

T** vuln*r**ility **s*ription *or *V*-****-***** in t** J*nkins T**mis Plu*in st*t*s t**t *n *TTP *n*point l**ks p*rmission ****ks *n* *SR* prot**tion, *llowin* *tt**k*rs to m*k* t** J*nkins s*rv*r *onn**t to *n *r*itr*ry URL. Sin** no p*t** is *v*il