CVE-2025-64133 identifies a cross-site request forgery (CSRF) vulnerability in the Jenkins Extensible Choice Parameter Plugin, specifically version 239.v5f5c278708cf and earlier. Jenkins is a widely used open-source automation server for continuous integration and delivery (CI/CD). The Extensible Choice Parameter Plugin allows users to define dynamic choice parameters for Jenkins jobs, often using Groovy scripts to generate options. The vulnerability arises because the plugin fails to adequately verify the authenticity of requests, allowing an attacker to craft a malicious request that executes sandboxed Groovy code within the Jenkins environment without requiring user authentication. This can lead to unauthorized code execution, potentially allowing attackers to manipulate build processes, access sensitive data, or pivot within the network. The sandboxed Groovy code execution limits some capabilities but still presents a significant risk. No CVSS score has been assigned yet, and no public exploits are known. The vulnerability was published on October 29, 2025, shortly after being reserved. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation strategies. Given Jenkins' critical role in software development pipelines, exploitation could disrupt development workflows and compromise the integrity of deployed software.

For European organizations, this vulnerability poses a substantial risk to the integrity and availability of software development pipelines. Jenkins is widely adopted across Europe, especially in technology-driven economies such as Germany, France, the UK, the Netherlands, and the Nordics. Exploitation could allow attackers to execute arbitrary Groovy scripts, potentially leading to unauthorized access to sensitive build configurations, source code, credentials stored within Jenkins, or even lateral movement within corporate networks. This could result in compromised software builds, insertion of malicious code into production artifacts, and disruption of continuous integration and deployment processes. The impact extends to confidentiality, integrity, and availability of critical development infrastructure. Organizations relying heavily on automated pipelines for rapid software delivery are particularly vulnerable, as exploitation could delay releases or introduce backdoors into software products. The absence of known exploits currently provides a window for proactive defense, but the risk remains high given the ease of exploitation via CSRF and the critical nature of Jenkins in modern development environments.

1. Immediately audit Jenkins instances to identify usage of the Extensible Choice Parameter Plugin and determine the plugin version. 2. Apply any available patches or updates from the Jenkins project as soon as they are released. 3. Until patches are available, restrict access to Jenkins instances to trusted networks and users only, employing network segmentation and firewall rules. 4. Implement strict CSRF protection measures in Jenkins, including enabling Jenkins' built-in CSRF protection features and verifying that all plugins comply with these protections. 5. Limit the use of Groovy scripts in Jenkins jobs and review existing scripts for potential abuse. 6. Monitor Jenkins logs for unusual or unauthorized requests that could indicate exploitation attempts. 7. Employ multi-factor authentication (MFA) and role-based access control (RBAC) to minimize the risk of unauthorized access. 8. Educate development and operations teams about the risks associated with this vulnerability and encourage prompt reporting of suspicious activity. 9. Consider temporarily disabling or removing the vulnerable plugin if it is not essential to operations until a secure version is available. 10. Maintain an incident response plan tailored to CI/CD infrastructure compromises.