4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64139

GHSA ID

GHSA-mj6v-4wr4-gj57

EPSS Score

CWE

CWE-862

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64139

CVE-2025-64139: Jenkins Start Windocks Containers Plugin is missing a permission check

Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64139

CVE-2025-64139:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64139

GHSA ID

GHSA-mj6v-4wr4-gj57

EPSS Score

CWE

CWE-862

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:windocks-start-container	maven	<= 1.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in an unsecured HTTP endpoint within the Jenkins Start Windocks Containers Plugin. The analysis of the plugin's source code, specifically the WinDocksBuilder.java file, revealed that the doFillImageItems method in the nested DescriptorImpl class is exposed without any permission checks. This method is intended to populate a UI dropdown with Docker image names from a given Windocks server IP.

The doFillImageItems method takes an ipaddress as a query parameter and passes it to the GetImages method. The GetImages method then constructs a URL with the provided ipaddress and makes an HTTP GET request to fetch image data. Because there is no validation on the ipaddress parameter, an attacker with only Overall/Read permissions can craft a request to this endpoint, forcing the Jenkins server to make a request to any URL or IP address on their behalf. This constitutes a Server-Side Request Forgery (SSRF) vulnerability. The advisory also correctly points out that the endpoint is vulnerable to Cross-Site Request Forgery (CSRF) because it responds to GET requests, which can be triggered from a malicious website visited by a logged-in Jenkins user.

Vulnerable functions

windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.doFillImageItems

src/main/java/windockspkg/windocksplug/WinDocksBuilder.java

This method is an unsecured HTTP endpoint in the plugin. It takes an 'ipaddress' parameter from the user and uses it to call the `GetImages` function. There are no permission checks to verify if the user is authorized to perform this action, allowing any user with Overall/Read permissions to trigger it. This leads to a Server-Side Request Forgery (SSRF) vulnerability. Additionally, as it does not require a POST request, it is vulnerable to Cross-Site Request Forgery (CSRF).

windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.GetImages

src/main/java/windockspkg/windocksplug/WinDocksBuilder.java

This function is called by `doFillImageItems` and is responsible for the SSRF vulnerability. It constructs a URL using the user-provided 'ipAddress' without any validation or sanitization. It then makes an HTTP GET request to this crafted URL, causing the Jenkins server to send a request to an arbitrary address specified by the attacker.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64139: Jenkins Start Windocks Containers Plugin is missing a permission check

CVE-2025-64139:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.3

4.3

CVE-2025-64139: Jenkins Start Windocks Containers Plugin is missing a permission check

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI