4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64138

GHSA ID

GHSA-6mgr-3374-4p3c

EPSS Score

CWE

CWE-352

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64138

CVE-2025-64138: Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery

Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64138

CVE-2025-64138:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64138

GHSA ID

GHSA-6mgr-3374-4p3c

EPSS Score

CWE

CWE-352

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:windocks-start-container	maven	<= 1.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists within the WinDocksBuilder.java file of the Jenkins Start Windocks Containers Plugin. The analysis of the source code for version 1.4 reveals two key methods contributing to the vulnerability.

The primary entry point is the doFillImageItems method within the DescriptorImpl inner class. In Jenkins plugins, public methods starting with do in a Descriptor class are automatically exposed as HTTP endpoints. This specific method is intended to populate a list box in the UI. It accepts an ipaddress as a query parameter. Crucially, this method lacks any permission checks to verify if the user is authorized to perform this action, and it does not require the request to be a POST, leaving it open to Cross-Site Request Forgery (CSRF).

The doFillImageItems method then calls the GetImages method, passing the user-supplied ipaddress. The GetImages method directly uses this input to construct a URL (http://%s/images/json) and initiates an HTTP connection. This constitutes a Server-Side Request Forgery (SSRF) vulnerability, as an attacker can specify any IP address or hostname, causing the Jenkins server to make a request to an arbitrary destination.

An attacker can exploit this by crafting a malicious URL and tricking an authenticated Jenkins user into clicking it. This would cause the user's browser to send a GET request to the vulnerable endpoint, triggering the SSRF and making the Jenkins server connect to a URL of the attacker's choice.

Vulnerable functions

windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.doFillImageItems

src/main/java/windockspkg/windocksplug/WinDocksBuilder.java

This public method is exposed as an HTTP endpoint in Jenkins. It takes an 'ipaddress' from a query parameter and passes it to the `GetImages` method. This endpoint lacks permission checks and CSRF protection (e.g., @RequirePOST annotation), making it vulnerable to Cross-Site Request Forgery (CSRF). An attacker can craft a URL that, when visited by an authenticated Jenkins user, will trigger a server-side request to an arbitrary IP address.

windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.GetImages

src/main/java/windockspkg/windocksplug/WinDocksBuilder.java

This method is called by `doFillImageItems` and is responsible for the Server-Side Request Forgery (SSRF) vulnerability. It constructs a URL using the user-provided 'ipAddress' without any validation or sanitization and then initiates an HTTP connection to that URL. This allows an attacker to make the Jenkins server send requests to arbitrary locations on the network.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64138: Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery

CVE-2025-64138:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-64138: Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery

Basic Information

Basic Information

4.3

4.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI