Jenkins Patches Multiple High-Severity Vulnerabilities in Core and Plugins
Jenkins released a security advisory on December 10, 2025, fixing a dozen flaws including a denial-of-service vulnerability in its HTTP-based CLI, an OS command injection in the Git client Plugin, and stored XSS in the Coverage Plugin.
Jenkins has issued a security advisory covering multiple vulnerabilities in Jenkins Core and several widely used plugins, urging administrators to update affected components immediately. The advisory, published December 10, 2025, addresses CVE-2025-67635, CVE-2025-67636, CVE-2025-67637, CVE-2025-67638, CVE-2025-67639, CVE-2025-67640, CVE-2025-67641, and CVE-2025-67642, along with disclosures for BlazeMeter Plugin and Redpen - Pipeline Reporter for Jira.
A high-severity denial-of-service vulnerability tracked as CVE-2025-67635 affects the HTTP-based CLI in Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier. The flaw occurs because the server does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause request-handling threads to wait indefinitely. The fix was introduced in Jenkins 2.541 and LTS 2.528.3.
A medium-severity missing permission check, CVE-2025-67636, allows attackers with View/Read permission to view encrypted password values in views. Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier, did not enforce the necessary View/Configure permission check for password field redaction. An optional system property (`hudson.Functions.nonRecursivePasswordMaskingPermissionCheck`) is provided for administrators who encounter compatibility issues with the fix.
Jenkins also addressed two related issues around build authorization tokens. CVE-2025-67637 covers the storage of these tokens unencrypted in job config.xml files, where they could be viewed by users with Item/Extended Read permission or file system access. CVE-2025-67638 addresses the lack of masking on the job configuration form. The fix encrypts tokens upon configuration save and masks them in the UI. Administrators can migrate existing jobs to the encrypted format via "Manage Jenkins » Manage Old Data."
A low-severity cross-site request forgery vulnerability, CVE-2025-67639, on the login form allowed attackers to trick users into logging in to an attacker-controlled account. Jenkins 2.540 and earlier, LTS 2.528.2 and earlier, did not require a CSRF token for interactive login requests. The fix adds crumb validation to login processing, with an optional system property to disable the check if needed.
Among the plugin-specific vulnerabilities, a notable medium-severity OS command injection in the Git client Plugin, CVE-2025-67640, affects versions 6.4.0 and earlier. The plugin generates temporary script files containing workspace directory paths as command arguments without proper escaping, allowing attackers who can control workspace directory names — for example, via the `dir(...)` Pipeline step — to inject arbitrary OS commands on Jenkins agents. Git client Plugin 6.4.1 resolves this by passing the workspace path as an environment variable.
The Coverage Plugin suffers from a high-severity stored XSS vulnerability, CVE-2025-67641, affecting versions 2.3054.ve1ff7b_a_a_123b_ and earlier. Attackers with Item/Configure permission can craft coverage results IDs using a `javascript:` scheme URL via the REST API, leading to script injection. Coverage Plugin 2.3056.v1dfe888b_0249 validates IDs at creation time and refuses to load invalid identifiers.
HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier (CVE-2025-67642) exposes system-scoped Vault credentials to users who should not have access, due to improper context setting during credential lookup. Additionally, the BlazeMeter Plugin and Redpen - Pipeline Reporter for Jira had separate vulnerabilities disclosed without CVSS scores in the initial advisory. Jenkins administrators running any affected component should prioritize updating to the latest versions to reduce exposure.