Unencrypted API Key Storage Vulnerability in Jenkins Curseforge Publisher Plugin
CVE-2025-64146

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Curseforge Publisher Plugin
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-64146?

The Curseforge Publisher Plugin for Jenkins improperly stores API keys in an unencrypted format within job configuration files on the Jenkins controller. This flaw enables users with Item or Extended Read permissions, as well as those with access to the Jenkins file system, to potentially view sensitive API credentials. It's crucial for users of this plugin to take immediate measures to secure their Jenkins environments, including reviewing access permissions and implementing encryption for sensitive data.

Affected Version(s)

Jenkins Curseforge Publisher Plugin 0 <= 1.0

References

https://www.jenkins.io/security/advisory/2025-10-29/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 28, 2025

JSON