Listen to this Post
The CVE-2025-XXXXX vulnerability exists because the Jenkins Extensible Choice Parameter plugin fails to enforce the use of POST requests for a specific HTTP endpoint. This design flaw allows the endpoint to accept GET requests, which are not subject to the same origin checks. Consequently, an attacker can craft a malicious link or webpage that, when visited by an authenticated Jenkins user, forges a request to this vulnerable endpoint. The forged request triggers the execution of a Groovy script, which is designed to dynamically populate choice parameters. Since the code execution occurs within Jenkins’ script security sandbox, the impact is limited by the sandbox’s permissions. However, this CSRF attack can still lead to unauthorized read access to sensitive files on the Jenkins controller file system, depending on the sandbox configuration, by manipulating the Groovy script execution through the compromised endpoint.
Platform: Jenkins Plugin
Version: <= 239.v5f5c278708cf
Vulnerability : CSRF
Severity: Moderate
date: 2025-10-29
Prediction: 2025-11-19
What Undercode Say:
curl -X GET 'http://jenkins-host/plugin/extensible-choice-parameter/unsafeEndpoint'
// Example Groovy script for choice parameter
def list = new File('/path/to/sensitive/file').text
return list.split('\n')
How Exploit:
Attacker crafts a malicious URL exploiting the GET-based endpoint. An authenticated admin user clicks the link. The CSRF payload executes sandboxed Groovy code. This can lead to sensitive file disclosure.
Protection from this CVE
Upgrade plugin when available. Implement CSRF tokens. Use script security plugins. Restrict plugin permissions.
Impact:
Unauthorized file read. Information disclosure. Limited by sandbox.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
