CVE-2025-64132: 
Java vulnerability analysis and mitigation

CVE-2025-64132 affects the Jenkins MCP Server Plugin versions 0.84.v50ca_24ef83f2 and earlier, disclosed on October 29, 2025. The vulnerability stems from missing permission checks in multiple MCP tools, which could allow attackers to access unauthorized information and trigger unauthorized builds (Jenkins Project).

The vulnerability is rated as Medium severity and involves insufficient permission validation in several MCP tools. The issue allows attackers with basic Item/Read permission to access information about configured SCM in jobs without having Item/Extended Read permission, trigger new builds without Item/Build permission, and retrieve cloud configuration names without Overall/Read permission (Jenkins Project). The vulnerability has been assigned a CVSS 3.1 Base Score of 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability's impact includes unauthorized access to sensitive job configuration information, unauthorized build triggering capabilities, and exposure of cloud configuration details. This creates potential security risks through information disclosure and unauthorized build execution (Jenkins Project, GBHackers).

The vulnerability has been fixed in MCP Server Plugin version 0.86.v7d3355e6aa18, which implements proper permission checks for the affected MCP tools. Users are advised to update to this version to mitigate the security risk (Jenkins Project).

The vulnerability was discovered and reported by Kevin Guerroudj from CloudBees, Inc., highlighting the active security research within the Jenkins community (Jenkins Project).