CVE-2025-64138 identifies a cross-site request forgery (CSRF) vulnerability in the Jenkins Start Windocks Containers Plugin version 1.4 and earlier. CSRF vulnerabilities occur when an attacker tricks a logged-in user’s browser into sending unauthorized commands to a web application. In this case, the vulnerability allows an attacker to cause the Jenkins server to connect to an attacker-specified URL, potentially enabling unauthorized interactions with internal or external systems. The plugin facilitates starting Windocks containers, which are Windows container instances, within Jenkins pipelines. Exploitation requires the attacker to have low privileges (PR:L) on the Jenkins server but does not require user interaction (UI:N). The attack vector is network-based (AV:N), meaning the attacker can exploit it remotely. The vulnerability impacts integrity (I:L) but does not affect confidentiality or availability. The CVSS score of 4.3 reflects a medium severity, indicating moderate risk. No patches or known exploits are currently available, and the vulnerability was published on October 29, 2025. The CWE-352 classification confirms the CSRF nature of the flaw. This vulnerability could be leveraged to manipulate Jenkins workflows or cause Jenkins to interact with malicious endpoints, potentially leading to further compromise or data manipulation within CI/CD pipelines.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity of CI/CD processes managed via Jenkins. Organizations using the Start Windocks Containers Plugin in their Jenkins environments could see unauthorized commands executed, potentially leading to manipulation of build or deployment pipelines. This could result in the injection of malicious code, unauthorized container launches, or unintended network connections to attacker-controlled systems. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further attacks or data tampering. Sectors with heavy reliance on automated software delivery, such as finance, telecommunications, and critical infrastructure, could face operational disruptions or reputational damage if attackers exploit this flaw. The lack of user interaction requirement and the ability to exploit remotely increase the risk in environments where Jenkins servers are exposed or insufficiently segmented from untrusted networks.

1. Immediately audit Jenkins instances to identify usage of the Start Windocks Containers Plugin version 1.4 or earlier and disable or remove the plugin if not essential. 2. Restrict network access to Jenkins servers, limiting connections to trusted internal IPs and VPNs to reduce exposure to remote attackers. 3. Implement strict CSRF protection mechanisms at the Jenkins server level, including enabling built-in CSRF protection features and verifying plugin compatibility with these protections. 4. Monitor Jenkins logs for unusual or unexpected requests that could indicate exploitation attempts, focusing on requests that trigger container start commands or external URL connections. 5. Enforce the principle of least privilege for Jenkins users, ensuring that only necessary accounts have permissions to start containers or modify pipelines. 6. Segregate Jenkins infrastructure from critical production environments to contain potential impacts. 7. Stay alert for official patches or updates from the Jenkins project and apply them promptly once available. 8. Educate development and operations teams about the risks of CSRF and the importance of secure plugin management.