The Jenkins project has released a new security advisory highlighting several medium to high severity vulnerabilities affecting Jenkins core and popular community plugins. These issues span from missing permission checks and CSRF vulnerabilities to the plaintext storage of API keys and passwords, potentially impacting millions of Jenkins users in DevOps pipelines worldwide.
The advisory highlights two medium-severity vulnerabilities in Jenkins core related to agent configurations:
Missing permission check allows retrieving agent configurations (CVE-2025-31720): In Jenkins versions 2.503 and earlier, as well as LTS 2.492.2 and earlier, a missing permission check in an HTTP endpoint allows attackers with Computer/Create permission to copy an agent and gain access to its configuration. This vulnerability is addressed in Jenkins 2.504 and LTS 2.492.3, which now require Computer/Extended Read permission for copying an agent.Missing permission check allows retrieving secrets from agent configurations (CVE-2025-31721): Similar to the previous vulnerability, Jenkins versions 2.503 and earlier, and LTS 2.492.2 and earlier, lack a permission check in an HTTP endpoint, enabling attackers with Computer/Create permission to copy an agent and access encrypted secrets within its configuration. Jenkins 2.504 and LTS 2.492.3 resolve this by requiring Computer/Configure permission to copy an agent containing secretsThe advisory also details vulnerabilities in several Jenkins plugins:
Templating Engine Plugin (CVE-2025-31722): A high-severity vulnerability exists in the Templating Engine Plugin, where folder-scoped libraries are not subject to sandbox protection in versions 2.5.3 and earlier. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. Version 2.5.4 of the plugin addresses this by applying sandbox protection to folder-scoped libraries.
Simple Queue Plugin (CVE-2025-31723): Simple Queue Plugin versions 1.4.6 and earlier contain cross-site request forgery (CSRF) vulnerabilities due to the lack of POST requests for multiple HTTP endpoints. These vulnerabilities enable attackers to change and reset the build queue order. Version 1.4.7 resolves this issue by requiring POST requests for the affected HTTP endpoints, although administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.
Cadence vManager Plugin (CVE-2025-31724): Cadence vManager Plugin versions 4.0.0-282.v5096a_c2db_275 and earlier store Verisium Manager VAPI keys unencrypted in job config.xml files on the Jenkins controller. This allows users with Item/Extended Read permission or access to the Jenkins controller file system to view these API keys[cite: 19]. Version 4.0.1-286.v9e25a_740b_a_48 encrypts the Verisium Manager VAPI keys once affected job configurations are saved again.
monitor-remote-job Plugin (CVE-2025-31725): The monitor-remote-job Plugin version 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller, making them viewable by users with Item/Extended Read permission or access to the Jenkins controller file system. As of the advisoryβs publication, there is no fix available for this plugin.
Stack Hammer Plugin (CVE-2025-31726): Stack Hammer Plugin versions 1.0.6 and earlier store Stack Hammer API keys unencrypted in job config.xml files, exposing them to users with Item/Extended Read permission or access to the Jenkins controller file system. There is currently no fix for this plugin.
Asakusa Satellite Plugin (CVE-2025-31727, CVE-2025-31728): AsakusaSatellite Plugin versions 0.1.1 and earlier store AsakusaSatellite API keys unencrypted in job config.xml files. These API keys are viewable by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the risk of observation and capture. No fix is currently available for this plugin.
It is imperative for Jenkins administrators to review the advisory carefully, identify affected components, and apply the recommended updates promptly. For plugins without available fixes, administrators should consider implementing mitigating controls or alternative solutions to minimize potential risks.