CVE-2025-64131 Overview
CVE-2025-64131 is an authentication bypass vulnerability in Jenkins SAML Plugin version 4.583.vc68232f7018a_ and earlier. The plugin fails to implement a replay cache for SAML authentication responses, allowing attackers who can intercept SAML authentication flow data between a user's web browser and Jenkins to replay those requests and authenticate as that user.
Critical Impact
Attackers can impersonate legitimate Jenkins users by replaying captured SAML authentication responses, potentially gaining unauthorized access to CI/CD pipelines and sensitive build configurations.
Affected Products
- Jenkins SAML Plugin version 4.583.vc68232f7018a_ and earlier
- Jenkins installations using SAML-based single sign-on authentication
- Environments where SAML authentication traffic can be intercepted
Discovery Timeline
- October 29, 2025 - CVE-2025-64131 published to NVD
- October 29, 2025 - Jenkins releases Security Advisory #SECURITY-3613
- December 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-64131
Vulnerability Analysis
This vulnerability stems from the absence of a replay cache mechanism in the Jenkins SAML Plugin's authentication handling. In SAML-based authentication, assertions are typically valid for a short time window. However, without a replay cache, the plugin cannot detect when the same SAML response has been submitted multiple times. An attacker who obtains a valid SAML response—through network interception, browser history access, or log file exposure—can replay that response to authenticate as the original user.
The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay), which describes scenarios where an authentication mechanism does not sufficiently prevent the replay of captured authentication credentials or tokens.
Root Cause
The root cause is the missing implementation of a replay cache in the Jenkins SAML Plugin. A properly implemented SAML service provider should maintain a cache of recently used SAML assertion IDs and reject any assertion that has already been processed. The affected versions of the SAML Plugin do not track assertion IDs, allowing the same SAML response to be accepted multiple times within its validity period.
Attack Vector
The attack requires network-level access to intercept SAML authentication traffic between a victim's browser and the Jenkins server. This could be achieved through:
- Man-in-the-Middle positioning on the network path between the user and Jenkins
- Access to browser history or session storage containing SAML responses
- Log file access where SAML responses may be inadvertently logged
- Compromised Identity Provider forwarding SAML responses to attackers
Once a valid SAML response is captured, the attacker submits the same response to Jenkins, which accepts it as a valid authentication attempt and grants access with the original user's privileges.
The attack is network-based and requires user interaction (the victim must authenticate via SAML for the attacker to capture a valid response). However, no prior privileges are required on the Jenkins system itself.
Detection Methods for CVE-2025-64131
Indicators of Compromise
- Multiple authentication events from the same SAML assertion ID within a short time period
- Authentication requests originating from IP addresses inconsistent with the user's typical access patterns
- Successful logins following network traffic interception alerts
- Unusual timing patterns in SAML authentication requests (e.g., rapid succession or replays after the original login)
Detection Strategies
- Monitor Jenkins authentication logs for duplicate SAML assertion IDs being accepted
- Implement network-level detection for SAML response capture attempts via TLS inspection anomalies
- Cross-reference authentication events with user location and device fingerprinting data
- Deploy SIEM rules to alert on authentication patterns indicative of replay attacks
Monitoring Recommendations
- Enable verbose logging for the SAML authentication plugin to capture assertion details
- Configure alerts for authentication events from new or unusual IP addresses
- Implement session monitoring to detect concurrent sessions that may indicate credential compromise
- Review Identity Provider logs in correlation with Jenkins authentication events
How to Mitigate CVE-2025-64131
Immediate Actions Required
- Update Jenkins SAML Plugin to the latest patched version immediately
- Review recent authentication logs for signs of potential replay attacks
- Enforce HTTPS with proper certificate validation to reduce interception risk
- Consider temporarily disabling SAML authentication and using alternative methods until patched
Patch Information
Jenkins has released a security patch addressing this vulnerability. Administrators should update the SAML Plugin to the latest available version. Refer to the Jenkins Security Advisory #SECURITY-3613 for specific version information and update instructions.
Updates can be applied through the Jenkins Plugin Manager or by downloading the updated plugin directly from the Jenkins Update Center.
Workarounds
- Implement additional network-level controls to prevent SAML response interception (strict TLS enforcement, certificate pinning)
- Reduce SAML assertion validity periods at the Identity Provider level to minimize the replay window
- Enable IP binding for SAML assertions if supported by your Identity Provider
- Consider implementing additional authentication factors that cannot be replayed (e.g., hardware tokens, push notifications)
# Verify current SAML Plugin version in Jenkins
jenkins-cli list-plugins | grep saml
# Update SAML Plugin via Jenkins CLI
jenkins-cli install-plugin saml -deploy -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
