The Jenkins project has disclosed multiple security vulnerabilities affecting its core platform and several plugins, exposing organizations to potential data breaches and code execution attacks.
Eight distinct vulnerabilities observed across Jenkins core and various plugins that could allow attackers to access sensitive information, obtain encrypted secrets, and potentially execute arbitrary code on affected systems.
The most severe vulnerability impacts the Templating Engine Plugin (CVE-2025-31722), rated as high severity.
In versions 2.5.3 and earlier, libraries defined in folders lack proper sandbox protection, enabling attackers with Item/Configure permission to execute arbitrary code within the Jenkins controller Java Virtual Machine (JVM).
This vulnerability represents a significant security risk for organizations using the affected plugin, as it could compromise the Jenkins environment completely.
Additionally, two medium-severity vulnerabilities in Jenkins core (CVE-2025-31720 and CVE-2025-31721) allow attackers with Computer/Create permission to bypass proper permission checks and gain unauthorized access to agent configurations and encrypted secrets.
These vulnerabilities stem from improper permission validation in specific HTTP endpoints. CVE-2025-31721 is an incomplete fix for a previously identified issue.
Plain Text Credential Storage Creates Risk
Several plugins stored sensitive credentials in plain text, creating significant security risks. The affected plugins include:
Cadence vManager Plugin (CVE-2025-31724): Stores Verisium Manager vAPI keys unencrypted in job configuration files
Monitor-Remote-Job Plugin (CVE-2025-31725): Stores passwords unencrypted in job configuration files
Stack Hammer Plugin (CVE-2025-31726): Stores API keys unencrypted in job configuration files
AsakusaSatellite Plugin (CVE-2025-31727, CVE-2025-31728): Stores and displays API keys in plain text
These vulnerabilities expose sensitive credentials to any users with Item/Extended Read permission or access to the Jenkins controller file system.
Jenkins weekly up to and including 2.503
Jenkins LTS up to and including 2.492.2
AsakusaSatellite Plugin up to and including 0.1.1
Cadence vManager Plugin up to and including 4.0.0-282.v5096a_c2db_275
monitor-remote-job Plugin up to and including 1.0
Simple Queue Plugin up to and including 1.4.6
Stack Hammer Plugin up to and including 1.0.6
Templating Engine Plugin up to and including 2.5.3
Fix Availability and Recommendations
Jenkins weekly users should update to version 2.504, while LTS users should update to version 2.492.3.
Several plugins also have updated versions available, including Cadence vManager Plugin (4.0.1-286.v9e25a_740b_a_48), Simple Queue Plugin (1.4.7), and Templating Engine Plugin (2.5.4).
However, as of the advisory’s publication, no fixes are available for AsakusaSatellite Plugin, Monitor-Remote-Job Plugin, or Stack Hammer Plugin.
This advisory comes amid a series of security issues affecting Jenkins in recent months. In March 2025, Jenkins addressed vulnerabilities related to encrypted secret values in agent and view configurations.
Earlier this year, a critical file read vulnerability (CVE-2024-23897) allowed attackers to read arbitrary files via Jenkins’ CLI, affecting an estimated 43% of cloud environments.
This vulnerability enabled attackers to view sensitive files like /etc/passwd, encryption keys, and source code. The frequency of Jenkins security advisories underscores the importance of maintaining proper security practices for CI/CD environments.
To minimize exposure to these types of vulnerabilities, organizations should promptly apply available patches, implement proper access controls, regularly audit plugin usage, and maintain awareness of security advisories.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free
