High severityGHSA Advisory· Published Dec 10, 2025· Updated Dec 10, 2025
CVE-2025-67641
CVE-2025-67641
Description
Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:coverageMaven | < 2.3056 | 2.3056 |
Affected products
2- Range: < 2.3056
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v3f3-rf6r-43x5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67641ghsaADVISORY
- www.jenkins.io/security/advisory/2025-12-10/ghsavendor-advisoryWEB
- github.com/jenkinsci/coverage-plugin/commit/1dfe888b02499d39185397862cf2790efc03e955ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-12-10Jenkins Security Advisories · Dec 10, 2025