CVE-2025-64140: Jenkins Azure CLI Plugin does not restrict the commands it executes

October 29, 2025 (updated November 5, 2025)

Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller.

This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller.

As of publication of this advisory, there is no fix.

References

github.com/advisories/GHSA-rh72-238f-g26q
github.com/jenkinsci/azure-cli-plugin
nvd.nist.gov/vuln/detail/CVE-2025-64140
www.jenkins.io/security/advisory/2025-10-29/

Code Behaviors & Features

Detect and mitigate CVE-2025-64140 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →