CVE-2025-64137: 
Java vulnerability analysis and mitigation

CVE-2025-64137 is a security vulnerability discovered in Jenkins Themis Plugin version 1.4.1 and earlier, disclosed on October 29, 2025. The vulnerability stems from a missing permission check in an HTTP endpoint, affecting the Jenkins automation server's security controls. This vulnerability is part of a broader security advisory that addressed multiple Jenkins plugin vulnerabilities (Jenkins Project, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The core issue lies in the plugin's failure to implement proper permission checks in an HTTP endpoint, which is classified under CWE-862 (Missing Authorization). The vulnerability specifically affects the Themis Plugin versions up to and including 1.4.1 (Miggo).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified URL, potentially enabling server-side request forgery (SSRF) attacks. This security flaw could be exploited to make unauthorized connections to internal or external systems through the Jenkins server (Jenkins Project).

As of the advisory's publication date, no official fix has been released for this vulnerability. Users of the affected Themis Plugin versions should monitor for updates and consider implementing additional access controls or network-level restrictions to minimize potential exploitation (Jenkins Project).