CVE-2025-64149: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability has been identified in Jenkins Publish to Bitbucket Plugin version 0.4 and earlier, tracked as CVE-2025-64149. The vulnerability was discovered by Daniel Beck from CloudBees, Inc. and was publicly disclosed on October 29, 2025. This security issue affects the Jenkins Publish to Bitbucket Plugin, which is commonly used for integration between Jenkins and Bitbucket repositories (Jenkins Advisory).

The vulnerability stems from a missing permission check in an HTTP endpoint and the absence of POST request requirements. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, Miggo).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method. This can lead to the capture of credentials stored in Jenkins, potentially compromising sensitive authentication information (Jenkins Advisory).

As of the advisory's publication date, no official fix is available for this vulnerability in the Publish to Bitbucket Plugin. Organizations using version 0.4 or earlier of the plugin should monitor for updates and consider implementing additional access controls or security measures to protect against unauthorized access (Jenkins Advisory).