Introduction
A single replayed authentication request can grant attackers full access to Jenkins automation infrastructure, putting source code, deployment pipelines, and credentials at risk. CVE-2025-64131 exposes a critical flaw in the Jenkins SAML Plugin, affecting organizations that rely on SAML single sign-on for secure access control.
About Jenkins: Jenkins is a leading open source automation server, widely used for continuous integration and deployment by organizations of all sizes. Its plugin ecosystem enables integration with a vast range of tools and authentication providers. The SAML Plugin allows Jenkins to act as a SAML 2.0 service provider, supporting enterprise single sign-on. Jenkins is estimated to be used by tens of thousands of organizations globally, making vulnerabilities in its authentication mechanisms highly impactful.
Technical Information
CVE-2025-64131 is a vulnerability in the Jenkins SAML Plugin, specifically affecting versions 4.583.vc68232f7018a_ and earlier. The core issue is the absence of a replay cache in the plugin's SAML authentication flow. In SAML 2.0, the identity provider issues a signed assertion to the user's browser, which is then presented to the service provider (Jenkins) to authenticate the user. Best practices and the SAML specification require that service providers track assertion IDs and reject any assertion that has already been processed, preventing replay attacks.
In the affected versions, the Jenkins SAML Plugin does not track assertion IDs or maintain a replay cache. If an attacker is able to capture a valid SAML assertion (for example, by sniffing network traffic, compromising a client, or abusing proxy logs), they can replay this assertion to Jenkins at any time within the assertion's validity window. Jenkins will accept the assertion and authenticate the attacker as the original user, without any indication that the assertion has already been used. This is classified as CWE-294 (Authentication Bypass by Capture-replay).
The vulnerability does not require the attacker to know the user's credentials or compromise the identity provider. The only prerequisite is the ability to capture a valid SAML assertion. Exploitation is trivial once an assertion is obtained, and the impact depends on the privileges of the compromised user account. Attackers can gain access to source code, CI/CD pipelines, credentials, and potentially production environments if Jenkins is integrated with deployment systems.
No code snippets or detection methods have been published as of this writing.
Affected Systems and Versions
- Jenkins SAML Plugin versions 4.583.vc68232f7018a_ and earlier are affected.
- The vulnerability is fixed in version 4.583.585.v22ccc1139f55.
- Any Jenkins instance using the SAML Plugin for authentication and running a vulnerable version is at risk.
Vendor Security History
Jenkins has a long history as a critical open source automation platform, but its plugin ecosystem has repeatedly been the source of security issues. Authentication and access control plugins, including the SAML Plugin, have seen prior vulnerabilities such as CSRF, improper permission checks, and XML parsing flaws. The Jenkins project typically responds quickly with advisories and patches, but the persistence of fundamental issues like missing replay cache logic highlights the need for more rigorous security review in plugin development.
