The vulnerability identified as CVE-2025-64135 affects the Jenkins Eggplant Runner Plugin versions 0.0.1.301.v963cffe8ddb_8 and earlier. The core issue is that the plugin sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty string, effectively disabling a security feature in the Java runtime. This property normally restricts which HTTP authentication schemes are allowed when HTTP tunneling through proxies, preventing credentials from being sent over insecure or unintended channels. By clearing this property, the plugin inadvertently allows HTTP authentication credentials to be transmitted through proxy tunnels that would otherwise be blocked, increasing the risk of credential leakage or interception. The vulnerability is classified under CWE-1188, which relates to improper restriction of HTTP authentication schemes. The CVSS v3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild, and no patches have been published yet. The vulnerability could be exploited remotely without authentication or user interaction, but the high attack complexity suggests exploitation is non-trivial. The main risk is unauthorized disclosure of sensitive information, particularly HTTP authentication credentials, which could lead to further attacks if intercepted. This issue is particularly relevant for organizations using Jenkins for continuous integration and deployment pipelines that rely on the Eggplant Runner Plugin, especially in environments where proxy servers are used for HTTP traffic.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of sensitive information, such as authentication credentials used in HTTP proxy tunneling scenarios. Organizations heavily reliant on Jenkins for software development and deployment, especially those integrating Eggplant Runner Plugin in their CI/CD pipelines, could see increased risk of credential leakage. This could lead to unauthorized access to internal systems or further lateral movement within networks if attackers intercept these credentials. The impact is heightened in environments with complex proxy configurations or where sensitive data is transmitted over HTTP tunnels. While the vulnerability does not affect integrity or availability directly, the potential for credential compromise can indirectly lead to broader security incidents. Given the widespread use of Jenkins in European tech sectors, including finance, manufacturing, and government, the vulnerability could affect critical infrastructure and sensitive projects. The absence of known exploits reduces immediate risk, but the medium CVSS score and ease of remote exploitation without authentication warrant proactive mitigation.

1. Monitor Jenkins plugin updates closely and apply patches for the Eggplant Runner Plugin as soon as they become available to restore the default security settings for `jdk.http.auth.tunneling.disabledSchemes`. 2. Until a patch is released, manually override the Java system property by setting `jdk.http.auth.tunneling.disabledSchemes` to its default secure value (e.g., `Basic, Digest, NTLM, Negotiate`) in the Jenkins runtime environment or plugin configuration to re-enable protection. 3. Restrict the use of the Eggplant Runner Plugin to trusted environments and limit network access to Jenkins servers to reduce exposure. 4. Implement network monitoring and anomaly detection focused on HTTP proxy tunneling traffic to identify unusual authentication attempts or credential leakage. 5. Enforce strict access controls and credential management policies for Jenkins and related systems to minimize the impact of any leaked credentials. 6. Educate DevOps and security teams about this vulnerability to ensure rapid response and awareness of proxy tunneling risks. 7. Consider isolating Jenkins build environments and using encrypted communication channels to reduce the risk of interception.