Analysis Summary

Jenkins has disclosed four critical security vulnerabilities affecting versions prior to 2.500 (weekly) and 2.492.2 (LTS), posing risks such as secret disclosure, CSRF attacks, and open redirects. Two of these, CVE-2025-27622 and CVE-2025-27623, stem from improper redaction of encrypted secrets in agent and view configurations, allowing attackers with limited permissions to retrieve unredacted credentials via API or CLI access. This flaw, linked to a similar 2016 issue (SECURITY-266), arises from inadequate access validation when processing config.xml requests, exposing sensitive data like API keys and database passwords.

Another flaw, CVE-2025-27624, introduces a CSRF risk due to Jenkins permitting GET requests for sidepanel widget state changes without CSRF protections. Attackers could exploit this to inject arbitrary strings into user profiles, enabling stored XSS or data exfiltration. The fix enforces POST requests, aligning with REST security principles. Meanwhile, CVE-2025-27625 exploits Jenkins’ lax URL validation, allowing open redirects via backslash manipulation. Attackers could redirect users to phishing domains disguised as internal Jenkins links, but this issue has been mitigated in the latest updates by rejecting such URLs.

Administrators must upgrade immediately to Jenkins 2.500 or LTS 2.492.2 to mitigate these risks. If immediate patching isn't feasible, they should restrict Agent/Extended Read and View/Read permissions, block URLs containing backslashes via reverse proxy rules, and enable CSRF filters. These vulnerabilities underscore the ongoing challenge of securing CI/CD tools with broad API exposure, making proactive patch management and strict access controls essential to protecting against supply chain attacks.

Impact

• Gain Access
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-27622

• CVE-2025-27623

Affected Vendors

Remediation

Upgrade to the latest version of Jenkins Plugin, available from the Jenkins Security Advisory.

Jenkins Security Advisory