CVE-2025-24398

High

Published: 22 January 2025

Published

22 January 2025

Modified

06 June 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0007 22.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24398 is a high-severity CSRF (CWE-352) vulnerability in Jenkins Bitbucket Server Integration. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and remediation of the specific CSRF bypass flaw in the Jenkins Bitbucket Server Integration Plugin.

SC-23 Session Authenticity good match

prevent

Mandates mechanisms to protect communications session authenticity, directly addressing CSRF protections bypassed by crafted URLs in the plugin.

SI-10 Information Input Validation partial match

prevent

Requires validation of inputs like maliciously crafted URLs to block exploitation attempts on Jenkins endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

The CVE describes a CSRF bypass vulnerability in the public-facing Jenkins Bitbucket Server Integration Plugin, allowing crafted malicious URLs to perform unauthorized actions on protected endpoints. This directly enables exploitation of a public-facing application (T1190) and requires user interaction via clicking a malicious link (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

Deeper analysisAI

CVE-2025-24398 affects the Jenkins Bitbucket Server Integration Plugin in versions 2.1.0 through 4.1.3 inclusive. The vulnerability enables attackers to craft URLs that bypass Cross-Site Request Forgery (CSRF) protection for any target URL within a Jenkins instance. Classified as CWE-352, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this by luring Jenkins users with no special privileges into interacting with malicious URLs (UI:R), such as clicking a link. Successful exploitation bypasses CSRF safeguards, allowing the attacker to perform unauthorized actions on any CSRF-protected Jenkins endpoint, potentially compromising the instance entirely given the high impact scores across all vectors.

The official Jenkins security advisory provides mitigation guidance, including patch details, and is available at https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434.