Moderate severityNVD Advisory· Published Mar 5, 2025· Updated Mar 6, 2025

CVE-2025-27625

Description

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (\) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins fails to sanitize redirects starting with backslash, enabling phishing via scheme-relative URLs.

Root

Cause

CVE-2025-27625 is an open redirect vulnerability in Jenkins core. In Jenkins 2.499 and earlier, and LTS 2.492.1 and earlier, the URL redirection logic considers redirect targets starting with a backslash (\) character as safe [1]. Browsers, however, interpret these backslash-prefixed URLs as scheme-relative redirects, meaning they treat the backslash as part of an absolute URL pointing to an external site. This discrepancy between Jenkins' validation and browser behavior creates the vulnerability.

Exploitation

An attacker can exploit this flaw by crafting a malicious link that uses a Jenkins URL containing a backslash, for example .../userContent?path=\\example.org. When a victim clicks such a link, Jenkins will treat the redirect destination as internal and issue a 302 redirect to the target [4]. The victim's browser then interprets the path \\example.org as a scheme-relative redirect to //example.org, effectively forwarding the user to an attacker-controlled site [1]. No authentication is required to trigger the redirect, and the attack can be initiated by simply getting a user to visit the crafted Jenkins URL.

Impact

Successful exploitation allows an attacker to redirect users from a legitimate Jenkins instance to an arbitrary external domain. This can be leveraged for phishing attacks, where victims may be tricked into entering credentials on a spoofed page that appears to be part of the Jenkins site, or for other social engineering schemes. The vulnerability is particularly dangerous because the initial URL appears to belong to the trusted Jenkins server.

Mitigation

The issue is fixed in Jenkins 2.500 and LTS 2.492.2 [2]. The fix prohibits redirects that contain backslash characters or other patterns used for scheme-relative URLs, as demonstrated by the related security test added in the commit [4]. Users should upgrade to the patched versions immediately. No workaround is available, and due to the ease of exploitation for phishing, organizations using affected Jenkins instances are strongly advised to apply the update.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 2.492.2	2.492.2
org.jenkins-ci.main:jenkins-coreMaven	>= 2.493, < 2.500	2.500

Affected products

Jenkins Project/Jenkinsllm-fuzzy
Range: <=2.499, <=2.492.1 (LTS)
osv-coords3 versions
pkg:apk/chainguard/jenkins-2.492 pkg:bitnami/jenkins pkg:maven/org.jenkins-ci.main/jenkins-core
< 2.492.3-r4+ 2 more
- (no CPE)range: < 2.492.3-r4
- (no CPE)range: >= 2.493.0, < 2.504.1
- (no CPE)range: < 2.492.2
Jenkins Project/Jenkinsv5
Range: 2.492.2

Patches

4a9a3ecd08fc

[SECURITY-3501]

https://github.com/jenkinsci/jenkinsDaniel BeckFeb 25, 2025via ghsa

commit

3 files changed · +39 −2

core/src/main/java/hudson/Util.java+1 −1 modified

@@ -1651,7 +1651,7 @@ public static boolean isAbsoluteUri(@NonNull String uri) {
      * @since 2.3 / 1.651.2
      */
     public static boolean isSafeToRedirectTo(@NonNull String uri) {
-        return !isAbsoluteUri(uri) && !uri.startsWith("//");
+        return !isAbsoluteUri(uri) && !uri.startsWith("\\") && !uri.replace('\\', '/').startsWith("//");
     }
 
     /**

core/src/test/java/hudson/UtilTest.java+5 −1 modified

@@ -416,12 +416,16 @@ public void testIsAbsoluteUri() {
     }
 
     @Test
-    @Issue("SECURITY-276")
+    @Issue({"SECURITY-276", "SECURITY-3501"})
     public void testIsSafeToRedirectTo() {
         assertFalse(Util.isSafeToRedirectTo("http://foobar/"));
         assertFalse(Util.isSafeToRedirectTo("mailto:kk@kohsuke.org"));
         assertFalse(Util.isSafeToRedirectTo("d123://test/"));
         assertFalse(Util.isSafeToRedirectTo("//google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\\\google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\/google.com"));
+        assertFalse(Util.isSafeToRedirectTo("/\\google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\google.com"));
 
         assertTrue(Util.isSafeToRedirectTo("foo/bar/abc:def"));
         assertTrue(Util.isSafeToRedirectTo("foo?abc:def"));

test/src/test/java/jenkins/security/Security3501Test.java+33 −0 added

@@ -0,0 +1,33 @@
+package jenkins.security;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+import java.util.List;
+import org.htmlunit.FailingHttpStatusCodeException;
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.RealJenkinsRule;
+
+public class Security3501Test {
+    @Rule
+    public RealJenkinsRule jj = new RealJenkinsRule();
+
+    @Test
+    public void testRedirects() throws Throwable {
+        jj.then(Security3501Test::_testRedirects);
+    }
+
+    public static void _testRedirects(JenkinsRule j) throws Exception {
+        List<String> prohibitedPaths = List.of("%5C%5Cexample.org", "%5C/example.org", "/%5Cexample.org", "//example.org", "https://example.org", "\\example.org");
+        for (String path : prohibitedPaths) {
+            try (JenkinsRule.WebClient wc = j.createWebClient().withRedirectEnabled(false)) {
+                final FailingHttpStatusCodeException fhsce = Assert.assertThrows(FailingHttpStatusCodeException.class, () -> wc.goTo("userContent?path=" + path));
+                assertThat(fhsce.getStatusCode(), is(302));
+                assertThat(fhsce.getResponse().getResponseHeaderValue("Location"), is(j.getURL().toExternalForm() + "userContent/"));
+            }
+        }
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8hmv-92wm-39chghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27625ghsaADVISORY
www.jenkins.io/security/advisory/2025-03-05/ghsavendor-advisoryWEB
github.com/jenkinsci/jenkins/commit/4a9a3ecd08fc00d2f1c1125be789d8be24f02c9eghsaWEB

News mentions

Jenkins Security Advisory 2025-03-05
Jenkins Security Advisories · Mar 5, 2025

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000