CVE-2025-64142: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability was identified in Jenkins Nexus Task Runner Plugin, tracked as CVE-2025-64142. The vulnerability affects versions 0.9.2 and earlier of the plugin, discovered and disclosed on October 29, 2025. The issue impacts the Jenkins automation server's Nexus Task Runner Plugin component (Jenkins Project, NVD).

The vulnerability stems from a missing permission check in an HTTP endpoint of the Nexus Task Runner Plugin. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (Miggo).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password credentials. This could potentially lead to unauthorized access and credential exposure (Jenkins Project).

As of the advisory publication date, no fix is available for this vulnerability. Users of the Nexus Task Runner Plugin version 0.9.2 and earlier should monitor for updates and consider implementing additional access controls (Jenkins Project).

The vulnerability was discovered and reported by Aris ISSAD from Aix Marseille University. The Jenkins security team has acknowledged the vulnerability and included it in their security advisory along with other plugin vulnerabilities (Jenkins Project).