CVE-2025-64134: 
Java vulnerability analysis and mitigation

CVE-2025-64134 affects the Jenkins JDepend Plugin versions 1.3.1 and earlier, discovered and disclosed on October 29, 2025. This vulnerability impacts the JDepend Maven Plugin component within the Jenkins automation server ecosystem. The issue was identified by CC Bomber from Kitri BoB and was publicly disclosed through the Jenkins security advisory (Jenkins Project, CVE List).

The vulnerability is classified as an XML External Entity (XXE) injection vulnerability with a CVSS v3.1 score of 7.1 (High). The security flaw stems from an outdated version of the JDepend Maven Plugin that fails to properly configure its XML parser to prevent XXE attacks. The vulnerability is tracked under CWE-611 (Improper Restriction of XML External Entity Reference) (Miggo).

When exploited, this vulnerability allows attackers who can configure input files for the 'Report JDepend' step to craft malicious files that leverage external entities. This can lead to the extraction of secrets from the Jenkins controller or enable server-side request forgery (SSRF) attacks (Jenkins Project).

As of the advisory publication date, no official fix has been released for this vulnerability. Users of the JDepend Plugin version 1.3.1 and earlier should assess their risk exposure and consider implementing additional security controls to prevent unauthorized access to the 'Report JDepend' step configuration (Jenkins Project).

The vulnerability was announced as part of a larger Jenkins security advisory that disclosed multiple plugin vulnerabilities. The security community has classified this as a high-severity issue, particularly concerning due to its potential for secret extraction and SSRF attacks (GBHackers).