CVE-2025-64134 identifies a security vulnerability in the Jenkins JDepend Plugin, specifically versions 1.3.1 and earlier. The root cause is the inclusion of an outdated version of the JDepend Maven Plugin, which does not properly configure its XML parser to prevent XML External Entity (XXE) attacks. XXE vulnerabilities arise when XML parsers process external entity references within XML documents, potentially allowing attackers to read local files, perform server-side request forgery (SSRF), or cause denial of service by exhausting resources. In this case, the Jenkins JDepend Plugin's XML parser is vulnerable because it does not disable or restrict external entity processing. Jenkins is a widely used open-source automation server that facilitates continuous integration and continuous delivery (CI/CD) workflows. The JDepend Plugin is used to analyze Java project dependencies, and it processes XML data as part of its operation. An attacker who can supply crafted XML input to the plugin could exploit this vulnerability to extract sensitive information from the Jenkins server environment or disrupt service availability. The vulnerability does not require authentication or user interaction if the plugin is exposed to untrusted XML input, increasing the risk. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and should be addressed promptly. No CVSS score has been assigned, but the vulnerability's characteristics indicate a significant risk. The Jenkins community and users are advised to update the plugin to a fixed version once available or apply mitigations such as disabling external entity processing in XML parsers or restricting access to the plugin's interfaces. This vulnerability highlights the importance of secure XML parsing configurations in software components integrated into CI/CD pipelines.

For European organizations, the exploitation of CVE-2025-64134 could lead to unauthorized disclosure of sensitive information stored or accessible by Jenkins servers, including source code, credentials, or configuration data. This could compromise intellectual property and lead to further attacks within the network. Additionally, attackers could cause denial of service by exploiting the XML parser to consume excessive resources, disrupting critical CI/CD workflows and delaying software delivery. Given Jenkins' central role in software development pipelines, such disruptions could have cascading effects on business operations, compliance, and customer trust. Organizations in Europe with automated build and deployment processes relying on Jenkins JDepend Plugin are at risk, especially if the plugin is exposed to untrusted inputs or insufficiently isolated environments. The lack of authentication requirements for exploitation increases the threat level, particularly in environments where Jenkins instances are accessible beyond trusted internal networks. The vulnerability could also be leveraged as a foothold for lateral movement or privilege escalation if combined with other weaknesses. Overall, the impact on confidentiality, integrity, and availability is significant, warranting urgent remediation to protect European software development infrastructure.

To mitigate CVE-2025-64134, European organizations should take the following specific actions: 1) Immediately identify Jenkins instances using the JDepend Plugin version 1.3.1 or earlier and prioritize their update. 2) Monitor Jenkins plugin update channels and apply the fixed plugin version once released by the Jenkins project. 3) If an immediate update is not possible, configure the XML parser used by the JDepend Plugin to disable external entity processing (e.g., by setting secure XML parser features such as 'disallow-doctype-decl' and 'external-general-entities' to false). 4) Restrict network access to Jenkins servers, ensuring that only trusted users and systems can interact with the plugin interfaces, reducing exposure to untrusted XML inputs. 5) Implement network segmentation and firewall rules to isolate Jenkins environments from external networks. 6) Audit Jenkins logs and monitor for suspicious XML parsing errors or unusual activity that could indicate attempted exploitation. 7) Educate development and DevOps teams about the risks of XXE vulnerabilities and secure plugin management practices. 8) Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) capable of detecting and blocking malicious XML payloads targeting Jenkins. These targeted mitigations go beyond generic patching advice and focus on reducing attack surface and exposure while awaiting official fixes.