CVE-2025-47888 – The Jenkins DingTalk Plugin 2.7.3 and earlier d... (How to Fix)

Q: What is the severity of CVE-2025-47888?

CVE-2025-47888 has a CVSS score of 5.9 (MEDIUM). The Jenkins DingTalk Plugin 2.7.3 and earlier disables SSL/TLS certificate validation for DingTalk webhook connections, allowing man-in-the-middle attacks. This affects Jenkins instances using the DingTalk Plugin to send notifications to DingTalk. Attackers could intercept or modify webhook data.

📋 TL;DR

The Jenkins DingTalk Plugin 2.7.3 and earlier disables SSL/TLS certificate validation for DingTalk webhook connections, allowing man-in-the-middle attacks. This affects Jenkins instances using the DingTalk Plugin to send notifications to DingTalk. Attackers could intercept or modify webhook data.

💻 Affected Systems

Products:

Jenkins DingTalk Plugin

Versions: 2.7.3 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with DingTalk Plugin configured and enabled.

📦 What is this software?

Dingtalk by Jenkins

View all CVEs affecting Dingtalk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept Jenkins-to-DingTalk communications, stealing sensitive build data, credentials, or injecting malicious content into notifications.

🟠

Likely Case

Man-in-the-middle attackers read or modify webhook payloads containing build status, job names, or limited system information.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential data leakage of non-critical build information.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network position to intercept traffic between Jenkins and DingTalk servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3353

Restart Required: Yes

Instructions:

1. Update Jenkins DingTalk Plugin to version 2.7.4 or later via Jenkins Plugin Manager. 2. Restart Jenkins after update.

🔧 Temporary Workarounds

Disable DingTalk Plugin

all

Temporarily disable the plugin if immediate update is not possible.

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find DingTalk Plugin > Disable

🧯 If You Can't Patch

Restrict network access to only allow Jenkins to communicate with legitimate DingTalk endpoints.
Monitor network traffic between Jenkins and DingTalk for unusual patterns or interception attempts.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for DingTalk Plugin version. If version is 2.7.3 or earlier and plugin is enabled, system is vulnerable.

Check Version:

Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab > Find DingTalk Plugin

Verify Fix Applied:

Verify DingTalk Plugin version is 2.7.4 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Failed SSL/TLS handshake attempts from Jenkins to DingTalk endpoints
Unusual webhook payload modifications

Network Indicators:

Unencrypted or improperly validated HTTPS traffic from Jenkins to DingTalk domains
MITM activity between Jenkins and DingTalk servers

SIEM Query:

source="jenkins" AND (event="webhook_failure" OR event="ssl_error") AND destination_ip="dingtalk_related"

📊 Metadata

CVE ID: CVE-2025-47888

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-20

EPSS Score: 0.09% exploit probability (25th percentile)

Published: May 14, 2025

Last Updated: June 12, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3353 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47888, you might also want to check these: