A security vulnerability in Jenkins Docker images has been disclosed, potentially compromising the integrity of continuous integration and deployment pipelines worldwide.
The Jenkins security team has revealed that certain SSH build agent Docker images reuse SSH host keys, allowing attackers to potentially hijack network traffic between Jenkins controllers and build agents.
Vulnerability Details
The Jenkins security advisory (released April 10, 2025) identifies two distinct CVEs affecting different image variants:
- CVE-2025-32754: Affects Jenkins/ssh-agent Docker images (Medium severity)
- CVE-2025-32755: Affects deprecated jenkins/ssh-slave Docker images (Medium severity)
The core issue stems from how SSH host keys are generated during image creation for Debian-based Docker images.
In affected versions, all containers built from the same image share identical SSH host keys, fundamentally undermining the security model that relies on unique server identification.
Technical Explanation: In jenkins/ssh-agent 6.11.1 and earlier (and all jenkins/ssh-slave versions), SSH host keys are generated at image creation time rather than container instantiation time.
This means that every container instance using the same base image will present identical cryptographic identity credentials.
As the advisory explains: “This allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter”.
Affected Images
The vulnerability impacts:
jenkins/ssh-agent:
- All images without explicit OS specification (including all -jdk* and -jdk*-preview variants) created before 2025-04-10
- All images containing “debian”, “stretch”, “bullseye”, or “bookworm” tags created before 2025-04-10
jenkins/ssh-slave (deprecated):
- Tags including “latest”, “jdk11”, “latest-jdk11”, and “revert-22-jdk11-JENKINS-52279”
Unaffected image variants include all jenkins/ssh-agent and jenkins/ssh-slave variants based on Alpine, NanoServer, or Windows.
Attack Scenario and Risks
An attacker who can position themselves between a Jenkins controller and a build agent could intercept and hijack sensitive network traffic without triggering SSH authenticity warnings.
This man-in-the-middle position could be leveraged to:
- Intercept or modify build artifacts
- Harvest credentials or secrets used during builds
- Inject malicious code into build pipelines
Remediation Steps
The Jenkins project has released version 6.11.2 of jenkins/ssh-agent Docker images, which addresses this vulnerability with a critical security enhancement:
# The fix implemented in version 6.11.2
# Deletes pre-generated SSH host keys during image creation
# New host keys are generated on first container startupUsers of jenkins/ssh-agent Docker images should immediately update to version 6.11.2.
For users of the deprecated jenkins/ssh-slave images, no fix will be provided.
The Jenkins team strongly recommends migrating to the updated jenkins/ssh-agent images as soon as possible.
Conclusion
This vulnerability highlights the critical importance of proper cryptographic key management in containerized environments.
Organizations using Jenkins in Docker environments should audit their deployments and update affected images immediately to protect their software supply chains from potential compromise.
The Jenkins team credited security researcher Abhishek Reddypalle for discovering and reporting these vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The Jenkins security team has revealed that certain SSH build agent Docker images reuse SSH host keys, allowing attackers to hijack network.){kind=link}