4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64142

CVE-2025-64142: Jenkins Nexus Task Runner Plugin is missing a permission check

Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64142

CVE-2025-64142:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:nexus-task-runner	maven	<= 0.9.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a missing permission check and CSRF protection in an HTTP endpoint of the Nexus Task Runner Plugin. The security advisory states that this allows attackers with 'Overall/Read' permission to make Jenkins connect to an arbitrary URL with specified credentials. Since no patch is available, I analyzed the source code of the latest vulnerable version (0.9.2). In Jenkins plugins, HTTP endpoints for UI interactions like 'Test Connection' buttons are typically implemented as do... methods in a Descriptor class. I identified the doTestConnection method in NexusTaskRunner.DescriptorImpl as the vulnerable function. This method takes a nexusUrl and credentialsId as parameters, does not perform any permission checks before using them to establish a connection, and is not annotated with @RequirePOST to prevent CSRF attacks. This perfectly aligns with the details provided in the security advisory.

Vulnerable functions

org.jenkinsci.plugins.nexustaskrunner.NexusTaskRunner$DescriptorImpl.doTestConnection

src/main/java/org/jenkinsci/plugins/nexustaskrunner/NexusTaskRunner.java

This method is an HTTP endpoint that takes a URL and credentials as input to test a connection. It lacks any permission checks, allowing any user with Overall/Read access to trigger it. It also does not require a POST request, making it vulnerable to CSRF. This directly matches the vulnerability description.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64142: Jenkins Nexus Task Runner Plugin is missing a permission check

CVE-2025-64142:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-64142: Jenkins Nexus Task Runner Plugin is missing a permission check

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI