CVE-2025-64134

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-64134
GHSA: GHSA-jfg6-4gx3-3v7w
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.plugins / jdepend	-	1.3.1.x

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936

Vulnerability Database

CVE-2025-64134

Deep Security Visibility Without the Complexity