CVE-2025-64133 Overview
CVE-2025-64133 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Extensible Choice Parameter Plugin. Versions 239.v5f5c278708cf and earlier are affected. The flaw allows attackers to execute sandboxed Groovy code by tricking authenticated Jenkins users into submitting forged requests. The vulnerability is tracked under Jenkins Security Advisory SECURITY-3583 and classified under CWE-352.
Critical Impact
Attackers can trigger execution of sandboxed Groovy code within Jenkins by exploiting missing CSRF protection, enabling unintended actions in the context of an authenticated victim.
Affected Products
- Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier
- Jenkins controllers with the plugin installed and CSRF-vulnerable endpoints exposed
- Any downstream Jenkins pipeline relying on Groovy-based extensible choice parameters
Discovery Timeline
- 2025-10-29 - Jenkins publishes Security Advisory SECURITY-3583
- 2025-10-29 - CVE-2025-64133 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64133
Vulnerability Analysis
The Extensible Choice Parameter Plugin exposes functionality that generates parameter values through Groovy scripts running under the Jenkins script sandbox. The affected endpoint accepts state-changing requests without verifying an anti-CSRF token or restricting the HTTP method. An attacker who lures an authenticated Jenkins user to a malicious page can submit a crafted request that triggers server-side execution of sandboxed Groovy code. While the sandbox limits direct arbitrary code execution, attackers can still coerce actions the victim did not intend, and sandbox escapes historically compound the risk.
Root Cause
The root cause is missing CSRF protection [CWE-352] on request handlers that trigger Groovy evaluation. Jenkins provides @RequirePOST and crumb-based CSRF defenses, but the affected handler did not enforce them. As a result, GET or forged POST requests originating from a third-party site are accepted as legitimate.
Attack Vector
Exploitation requires user interaction. An attacker hosts a page that issues a cross-origin request to a Jenkins instance where the victim is authenticated. When the victim visits the page, their browser attaches session cookies, causing Jenkins to process the request and evaluate the attacker-supplied Groovy expression in the sandbox. No prior privileges on the target Jenkins are required from the attacker; the victim's session provides the authorization context.
No public proof-of-concept exploit or exploitation in the wild has been reported. See the Jenkins Security Advisory SECURITY-3583 for vendor-authoritative technical details.
Detection Methods for CVE-2025-64133
Indicators of Compromise
- Unexpected POST or GET requests to Extensible Choice Parameter endpoints from external Referer or Origin headers
- Jenkins audit log entries showing Groovy parameter evaluations initiated outside normal job configuration workflows
- Access patterns where authenticated users trigger parameter endpoints in rapid succession from browser sessions
Detection Strategies
- Inspect Jenkins access logs for requests to plugin URLs lacking valid CSRF crumb tokens
- Correlate web proxy logs with Jenkins request logs to identify cross-origin request patterns targeting Jenkins users
- Monitor Jenkins system logs for groovy.lang.GroovyShell or sandbox evaluation events tied to parameter endpoints rather than build execution
Monitoring Recommendations
- Enable Jenkins access logging with full URI and header capture, and forward logs to a centralized analytics platform
- Alert on Groovy script executions initiated from non-build contexts within the Extensible Choice Parameter Plugin
- Track plugin version inventory across Jenkins controllers to identify systems still running vulnerable releases
How to Mitigate CVE-2025-64133
Immediate Actions Required
- Upgrade the Extensible Choice Parameter Plugin to a fixed release as identified in Jenkins Security Advisory SECURITY-3583
- Verify that global CSRF protection is enabled in Jenkins under Manage Jenkins → Security
- Restrict Jenkins controller access to trusted networks and authenticated users only
- Audit installed plugins and remove the Extensible Choice Parameter Plugin if it is not actively required
Patch Information
Refer to the Jenkins Security Advisory SECURITY-3583 for the fixed plugin version and upgrade guidance. Additional discussion is available on the Openwall OSS-Security Mailing List.
Workarounds
- Disable or uninstall the Extensible Choice Parameter Plugin until an upgrade is applied
- Educate Jenkins users to log out of the controller when not actively administering it, reducing the CSRF exposure window
- Enforce strict SameSite=Lax or Strict cookie policies at the reverse proxy fronting Jenkins to blunt cross-origin request delivery
# Configuration example: enforce SameSite cookies at an nginx reverse proxy in front of Jenkins
proxy_cookie_path / "/; HttpOnly; Secure; SameSite=Strict";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

