High severityGHSA Advisory· Published Dec 10, 2025· Updated Dec 10, 2025
CVE-2025-67641
CVE-2025-67641
Description
Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:coverageMaven | < 2.3056 | 2.3056 |
Affected products
1- Range: < 2.3056
Patches
11dfe888b0249SECURITY-3611
2 files changed · +18 −0
plugin/src/main/java/io/jenkins/plugins/coverage/metrics/steps/CoverageBuildAction.java+6 −0 modified@@ -40,6 +40,7 @@ import io.jenkins.plugins.util.JenkinsFacade; import io.jenkins.plugins.util.JobAction; import io.jenkins.plugins.util.QualityGateResult; +import io.jenkins.plugins.util.ValidationUtilities; import static hudson.model.Run.*; @@ -59,6 +60,7 @@ public final class CoverageBuildAction extends BuildAction<Node> implements Stap private static final String NO_REFERENCE_BUILD = "-"; private static final List<Difference> NO_VALUES = List.of(); private static final int MAX_METRICS_COUNT_IN_SUMMARY = 5; + private static final ValidationUtilities VALIDATION_UTILITIES = new ValidationUtilities(); private final String id; private final String name; @@ -210,6 +212,8 @@ public CoverageBuildAction(final Run<?, ?> owner, final String id, final String final boolean canSerialize) { super(owner, result, false); + VALIDATION_UTILITIES.ensureValidId(id); + this.id = id; this.name = name; this.icon = icon; @@ -241,6 +245,8 @@ private <T> ArrayList<T> copy(final List<? extends T> list) { protected Object readResolve() { super.readResolve(); + VALIDATION_UTILITIES.ensureValidId(id); + if (difference == null) { difference = new TreeMap<>(); }
plugin/src/test/java/io/jenkins/plugins/coverage/metrics/steps/CoverageBuildActionTest.java+12 −0 modified@@ -4,6 +4,7 @@ import org.apache.commons.lang3.math.Fraction; import org.junit.jupiter.api.Test; import org.junitpioneer.jupiter.DefaultLocale; +import org.junitpioneer.jupiter.Issue; import edu.hm.hafner.coverage.Coverage.CoverageBuilder; import edu.hm.hafner.coverage.Difference; @@ -21,6 +22,7 @@ import io.jenkins.plugins.coverage.metrics.model.Baseline; import io.jenkins.plugins.util.QualityGateResult; +import io.jenkins.plugins.util.QualityGateStatus; import static org.assertj.core.api.Assertions.*; import static org.mockito.Mockito.*; @@ -32,6 +34,16 @@ */ @DefaultLocale("en") class CoverageBuildActionTest { + @Test + @Issue("SECURITY-3611") + void shouldValidateInAction() { + String evilId = "javascript:alert(1)"; + assertThatIllegalArgumentException().isThrownBy(() -> + new CoverageBuildAction(mock(FreeStyleBuild.class), evilId, "name", "icon", + new ModuleNode("root"), new QualityGateResult(QualityGateStatus.ERROR), new FilteredLog())) + .withMessageContaining("An ID must match the regexp pattern"); + } + @Test void shouldNotLoadResultIfCoverageValuesArePersistedInAction() { var module = new ModuleNode("module");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v3f3-rf6r-43x5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67641ghsaADVISORY
- www.jenkins.io/security/advisory/2025-12-10/ghsavendor-advisoryWEB
- github.com/jenkinsci/coverage-plugin/commit/1dfe888b02499d39185397862cf2790efc03e955ghsaWEB
News mentions
0No linked articles in our index yet.