CVE-2025-53651

Vulnerability

Overview

The Jenkins HTML Publisher Plugin, used to archive and display HTML reports generated during builds, contains an information disclosure vulnerability (CVE-2025-53651). In version 425 and earlier, when the plugin runs the "Publish HTML reports" post-build step, it writes log messages that include the absolute paths of the files being archived [1][2][3]. This behavior inadvertently exposes the internal directory structure of the Jenkins controller's filesystem to anyone who can view the build log.

Exploitation

Context

An attacker would not require special authentication beyond the ability to access build logs—typically available to users with at least read access to job builds. Since the information appears in the build log automatically without any user configuration error, any user who can view build output can see the full paths [1][2]. No additional privileges or social engineering are needed to exploit this leak.

Impact

The leak is limited to file path information; no file contents or credentials are directly exposed. However, knowledge of absolute paths on the Jenkins controller can aid reconnaissance for further attacks, such as path traversal or directory traversal exploits against other components [1]. This information disclosure is rated Medium severity by Jenkins [1].

Mitigation

Jenkins has released HTML Publisher Plugin version 427, which fixes the issue by displaying only the parent directory name of archived files in log messages, rather than the full absolute path [1][2]. Users should update to version 427 or later. There is no workaround other than restricting access to build logs for untrusted users.

References

• [1] Jenkins Security Advisory 2025-07-09 (SECURITY-3547)
• [2] Openwall oss-security mailing list post
• [3] NVD entry for CVE-2025-53651
• [4] GitHub repository for the HTML Publisher Plugin (for background)