Jenkins Warns of Unpatched XSS Vulnerability in Gatling Plugin
Jenkins released a security advisory for a high-severity XSS vulnerability in the Gatling plugin that bypasses CSP protections, with no fix currently available.
Jenkins has published Security Advisory 2025-06-06, warning users about a cross-site scripting (XSS) vulnerability in the Gatling plugin. Tracked as CVE-2025-5806 with a CVSS severity rating of High, the flaw resides in Gatling Plugin version 136.vb_9009b_3d33a_e and earlier. The vulnerability allows the plugin to serve Gatling reports in a way that bypasses the Content-Security-Policy (CSP) protection introduced in Jenkins 1.641 and 1.625.3, enabling attackers who can modify report content to inject malicious scripts.
The XSS vulnerability is exploitable by users who have the ability to change report content, meaning that any authenticated user with permission to alter Gatling test reports could craft a report containing malicious JavaScript. When other users view the compromised report, the script executes in their browser session, potentially leading to session hijacking, credential theft, or further unauthorized actions within the Jenkins environment. The advisory notes that as of publication, no fix is available for the affected plugin.
In the absence of a patch, Jenkins recommends that affected users downgrade the Gatling plugin to version 1.3.0, which is the last known version not affected by this vulnerability. The advisory also clarifies that while the "Affected Versions" section may suggest earlier versions are impacted, this is a technical limitation of the advisory page format on jenkins.io, and only versions up to and including 136.vb_9009b_3d33a_e are actually vulnerable.
The Gatling plugin is widely used in Jenkins environments for load and performance testing, making this advisory significant for DevOps and CI/CD pipelines that rely on the tool. Organizations running Jenkins with the Gatling plugin should immediately assess their exposure and apply the downgrade mitigation to version 1.3.0 until an official fix is released. Jenkins has not provided a timeline for a patched version.
This advisory is part of Jenkins' ongoing effort to address security issues in its extensive plugin ecosystem, which has historically been a vector for vulnerabilities due to the large number of third-party plugins. The lack of an available patch underscores the importance of maintaining minimal plugin installations and applying security best practices, such as network segmentation and strict access controls, to limit the blast radius of potential exploits.