CVE-2025-13472 — BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources

Description

A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.

How to fix CVE-2025-13472

To remediate CVE-2025-13472, upgrade the affected package to a fixed version below.

Maven/com.blazemeter.plugins:BlazeMeterJenkinsPlugin—upgrade to 4.27 or later

Is CVE-2025-13472 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-13472
PATCHgithub.com/jenkinsci/blazemeter-plugin
WEBgithub.com/jenkinsci/blazemeter-plugin/commit/9fe5ed70f063c18fd6b64bb4db3cbdb612f653d4
WEBportal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin