Jenkins Plugin Vulnerability: XML External Entity Issue in JDepend
CVE-2025-64134

7.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Jdepend Plugin
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-64134?

The JDepend Plugin for Jenkins, version 1.3.1 and earlier, has a security concern stemming from the inclusion of an outdated JDepend Maven Plugin. This version fails to properly configure its XML parser, leaving it susceptible to XML External Entity (XXE) attacks. Such vulnerabilities can lead to unauthorized access to sensitive data or server-side requests, compromising Jenkins environments. Users are advised to upgrade to patched versions and review security configurations to mitigate this risk.

Affected Version(s)

Jenkins JDepend Plugin 0 <= 1.3.1

References

https://www.jenkins.io/security/advisory/2025-10-29/#SECU...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 28, 2025

JSON