CVE-2025-59476
Description
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins fails to sanitize log messages, allowing attackers to inject line breaks and forge log entries, misleading administrators.
Vulnerability
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform characters in user-specified content within log messages. This allows attackers who can control log message content to insert line break characters and forge additional log entries [1][2].
Exploitation
An attacker able to control log message content (e.g., through a plugin or script that writes to logs) can inject line breaks followed by arbitrary text. This forged content may appear as legitimate log entries, potentially misleading administrators during log review [2]. No authentication is required if the attacker can trigger log message generation through an unauthenticated endpoint.
Impact
By inserting forged log messages, an attacker can hide malicious actions or create false audit trails. This could lead to delayed detection of security incidents and undermine trust in log integrity [1][2].
Mitigation
Jenkins 2.528 and LTS 2.516.3 include a fix that sanitizes log message content, preventing line break injection [2]. Administrators should upgrade to these versions or later. No workaround is documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.516.3 | 2.516.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.517, < 2.528 | 2.528 |
Affected products
2- Range: <=2.527, LTS <=2.516.2
- Jenkins Project/Jenkinsv5Range: 2.516.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qrh5-jg98-cr48ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59476ghsaADVISORY
- www.jenkins.io/security/advisory/2025-09-17/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/09/17/1ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-09-17Jenkins Security Advisories · Sep 17, 2025