A critical security flaw in widely used Jenkins Docker images has been discovered, potentially compromising build pipelines across thousands of organizations. 

The vulnerability, disclosed in a Jenkins Security Advisory on April 10, 2025, affects SSH host key handling in certain Docker images and could allow attackers to execute man-in-the-middle attacks against Jenkins build environments.

The issue, tracked as CVE-2025-32754 and CVE-2025-32755, affects the jenkins/ssh-agent Docker images (versions up to and including 6.11.1) and all versions of the deprecated jenkins/ssh-slave image. 

Jenkins Docker Images Vulnerabilities

The vulnerability stems from SSH host keys being generated during image creation rather than container startup for Debian-based images.

“As a result, all containers based on images of the same version use the same SSH host keys,” the advisory warns. 

This fundamentally undermines the security model of SSH, where host keys are intended to uniquely identify servers and establish trust relationships.

The Jenkins project credits security researcher Abhishek Reddypalle for discovering and reporting this vulnerability

The summary of the vulnerabilities is given below:

CVEsAffected ProductsImpactExploit PrerequisitesCVSS 3.1 ScoreCVE-2025-32754Jenkins ssh-agent Docker images (Debian-based, versions ≤ 6.11.1)Man-in-the-middle attacks, unauthorized access, credential theft, build manipulationNetwork path interception between SSH client (Jenkins controller) and SSH build agent9.1 (Critical)CVE-2025-32755Jenkins ssh-slave Docker images (Debian-based, all versions)Man-in-the-middle attacks, unauthorized access, data manipulationNetwork path interception between SSH client (Jenkins controller) and SSH build agent9.1 (Critical)

Affected Images

The vulnerability specifically impacts these image variants:

jenkins/ssh-agent:

All tags not explicitly specifying an OS, including all -jdk* and -jdk*-preview suffixes (before 2025-04-10).

All images containing debian, stretch, bullseye, or bookworm (before 2025-04-10).

jenkins/ssh-slave (deprecated):

Tags latest, jdk11, latest-jdk11, revert-22-jdk11-JENKINS-52279.

Alpine-based, Windows, and Nanoserver variants are unaffected by this vulnerability.

Attack Vector and Impact

The vulnerability enables attackers who can intercept network traffic between the Jenkins controller and SSH build agents to impersonate legitimate agents without triggering SSH authenticity warnings.

This attack vector could lead to severe consequences, including:

Interception or modification of build artifacts

Harvesting of credentials or secrets used during builds

Injection of malicious code into build pipelines

Such attacks are particularly concerning in CI/CD environments where compromised build processes can lead to supply chain attacks affecting downstream systems and customers.

The Jenkins project has released updated jenkins/ssh-agent images in version 6.11.2, which introduce a critical security improvement:

“The jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup”.

Administrators can verify they’re running a patched version by inspecting their Docker images. The patched behavior will generate unique SSH host keys for each container instance rather than reusing the same keys across all deployments.

Organizations should immediately update their Docker images to this version. The deprecated jenkins/ssh-slave images will not receive updates, and users should migrate to jenkins/ssh-agent instead.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!