Jenkins, the widely used open-source automation server, issued a high-priority security advisory (2025-04-02) addressing eight vulnerabilities across its core platform and seven plugins.
The most severe flaw, CVE-2025-31722, enables arbitrary code execution on Jenkins controllers via the Templating Engine Plugin, earning a CVSSv3 score of 8.8.
The advisory also reveals systemic issues with permission management and insecure credential storage affecting millions of DevOps pipelines globally.
Critical Code Injection in Templating Engine Plugin
CVE-2025-31722 (CVSS 8.8) exposes Jenkins controllers to remote code execution through folder-scoped pipeline libraries.
Attackers with Item/Configure permissions can bypass Groovy sandbox protections in Templating Engine Plugin versions ≤2.5.3, executing malicious code directly on the controller JVM.
Patched in v2.5.4, this vulnerability highlights risks in improperly scoped CI/CD component trust models.
Core Jenkins Permission Bypasses
Two medium-severity flaws (CVE-2025-31720/CVE-2025-31721) in Jenkins core versions ≤2.503/LTS ≤2.492.2 allow privilege escalation:
- Agent Configuration Leak: Attackers with Computer/Create permissions gain unauthorized access to agent configurations.
- Secret Extraction: Similar bypass exposes encrypted secrets stored in agent configurations.
Patched versions (Jenkins 2.504/LTS 2.492.3) enforce Computer/Extended Read and Computer/Configure permissions, respectively.
Plug-in Security Failures
Insecure Credential Storage
| Plugin | CVE | Risk Profile |
|---|---|---|
| Cadence vManager | CVE-2025-31724 | Unencrypted Verisium API keys |
| monitor-remote-job | CVE-2025-31725 | Plaintext passwords |
| Stack Hammer | CVE-2025-31726 | Exposed API keys |
| AsakusaSatellite | CVE-2025-31727/31728 | Unmasked API keys |
These plugins store sensitive data unencrypted in config.xml files, accessible via Item/Extended Read permissions or filesystem access.
Only Cadence vManager (v4.0.1) provides encryption fixes; others remain unpatched.
CSRF in Build Queue Manipulation
CVE-2025-31723 affects Simple Queue Plugin ≤1.4.6, allowing attackers to alter build orders via cross-site requests.
Version 1.4.7 mandates POST requests for critical endpoints.
Remediation Timeline and Challenges
Patched Components:
- Jenkins Core: Upgrade to 2.504 (weekly) or 2.492.3 (LTS)
- Templating Engine: v2.5.4
- Simple Queue Plugin: v1.4.7
- Cadence vManager: v4.0.1
Unresolved Risks:
Plugins without fixes (AsakusaSatellite, monitor-remote-job, Stack Hammer) require compensating controls:
- Revoke Item/Extended Read from untrusted users
- Audit
config.xmlfiles for exposed credentials - Monitor plugin repositories for updates.
Attribution and Response
CloudBees researchers Daniel Beck and Swapna Nanda identified core permission flaws, while Aix Marseille University teams disclosed multiple plugin vulnerabilities.
The Jenkins project emphasizes immediate patching for the Templating Engine and core systems, noting no active exploits observed as of advisory publication.
Administrators must balance plugin dependency risks against pipeline functionality, particularly for unmaintained components.
Continuous secrets rotation and least-privilege access remain critical defenses as CI/CD infrastructures face escalating attack surfaces.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The most severe flaw, CVE-2025-31722, enables arbitrary code execution on Jenkins controllers via the Templating Engine Plugin, earning a CVSSv3 score of 8.8.){kind=link}