Jenkins Released Security Updates – Multiple Vulnerabilities Fixed That Allow Attackers to Exploit CI/CD Pipelines
Jenkins, the widely used automation server for CI/CD pipelines, has released a critical security advisory addressing several vulnerabilities in popular plugins.
These flaws-ranging from authentication bypasses to cross-site scripting-could allow attackers to compromise Jenkins environments, bypass authentication, or gain elevated privileges.
The security updates bring essential patches for affected plugins, but in some cases, no immediate fixes are available. Here’s a breakdown of what’s at risk and the steps users should take.
Among the most severe issues disclosed, the OpenID Connect Provider Plugin (CVE-2025-47884, rated Critical) was found to improperly validate environment variables when generating build ID tokens.
In versions up to 96.vee8ed882ec4d, this allowed attackers-if they could configure jobs and manipulate environment variables-to forge tokens and impersonate trusted jobs, potentially gaining unauthorized access to external services integrated with Jenkins.
Even more alarming is the vulnerability in the WSO2 Oauth Plugin (CVE-2025-47889, rated Critical).
In all versions up to 1.0, the plugin’s security realm accepts any authentication claim without verification.
This allows unauthenticated attackers to log in using arbitrary credentials-including non-existent usernames-potentially granting them admin access depending on the configured authorization strategy.
While some group-based permissions are not assigned, this flaw is particularly dangerous in environments where “Logged-in users can do anything” is enabled.
Both plugins pose significant risks to the integrity and confidentiality of Jenkins-managed CI/CD pipelines.
While the OpenID Connect Provider Plugin has been patched in version 111.v29fd614b_3617, no fix is yet available for the WSO2 Oauth Plugin.
A stored cross-site scripting (XSS) vulnerability (CVE-2025-47885, rated High) was identified in the Health Advisor by CloudBees Plugin.
Attackers controlling responses from the Jenkins Health Advisor server could inject malicious scripts, potentially leading to session hijacking or information disclosure.
This issue affected versions up to 374.v194b_d4f0c8c8 and is resolved in version 374.376.v3a_41a_a_142efe, which properly escapes server responses.
Meanwhile, the Cadence vManager Plugin presented two medium-severity issues:
- A cross-site request forgery (CSRF) vulnerability (CVE-2025-47886),
- And missing permission checks (CVE-2025-47887).
In versions up to 4.0.1-286.v9e25a_740b_a_48, attackers with basic read permissions could exploit these weaknesses to perform unauthorized actions, such as connecting to arbitrary URLs with attacker-specified credentials.
The freshly released version 4.0.1-288.v8804b_ea_a_cb_7f requires POST requests and stricter permissions, mitigating these risks.
SSL/TLS Validation and Patch Recommendations
The DingTalk Plugin (CVE-2025-47888, Medium) disables SSL/TLS certificate and hostname validation by default, exposing users to potential man-in-the-middle attacks.
Unfortunately, as of this advisory, no patch is available for this vulnerability.
Administrators are urged to immediately update the following plugins to their fixed versions:
- Cadence vManager Plugin: 4.0.1-288.v8804b_ea_a_cb_7f
- Health Advisor by CloudBees Plugin: 374.376.v3a_41a_a_142efe
- OpenID Connect Provider Plugin: 111.v29fd614b_3617
Users of the DingTalk and WSO2 Oauth Plugins should monitor for updates and consider disabling or restricting these plugins until fixes are released.
The Jenkins project credits security researchers from CloudBees, Inc., and independent contributors for responsibly reporting these issues.
Security-conscious Jenkins administrators are advised to review their plugin configurations, apply recommended updates promptly, and monitor official channels for fixes to unresolved vulnerabilities.