In the ever-evolving world of DevOps automation, Jenkins is a cornerstone tool powering countless build pipelines across organizations of all sizes. But a recently disclosed vulnerability has revealed a threat lurking in the background of some Jenkins build environmentsβhost key reuse in SSH build agent Docker images, now tracked as CVE-2025-32754 and CVE-2025-32755.
According to the security advisory, the issue affects the jenkins/ssh-agent Docker images (versions up to and including 6.11.1) and all versions of the deprecated jenkins/ssh-slave image.
βAs a result, all containers based on images of the same version use the same SSH host keys,β the advisory warns.
This means that every time a new build agent is spun up from the same vulnerable image, it reuses the same set of SSH host keysβa severe misstep in secure system design. Host keys are intended to uniquely identify a server to clients and form the cryptographic backbone of trust in SSH connections. Reusing them across containers obliterates that trust.
If an attacker can position themselves between the Jenkins controller (the SSH client) and one of these identically-keyed build agents, they can masquerade as a legitimate agentβwithout raising a single SSH authenticity warning. This opens the door to a wide range of supply chain and data integrity attacks, including:
Intercepting or modifying build artifactsHarvesting credentials or secrets used during buildsInjecting malicious code into build pipelinesβThis allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter,β the advisory explains.
Jenkins has released updated jenkins/ssh-agent images in version 6.11.2, which introduce a critical change:
βThe jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup.β
This means that every new container gets a fresh set of SSH keys on startupβrestoring the secure, trust-based handshake between controller and agent.
Unfortunately, thereβs bad news for users still relying on the legacy jenkins/ssh-slave image. It is deprecated and will not be updated. Jenkins urges users to migrate to jenkins/ssh-agent immediately for continued support and security:
βjenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead.β