CVE-2025-5806 – The Jenkins Gatling Plugin 136.vb_9009b_3d33a

Q: What is the severity of CVE-2025-5806?

CVE-2025-5806 has a CVSS score of 8.0 (HIGH). The Jenkins Gatling Plugin 136.vb_9009b_3d33a_e has a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into Gatling reports. This bypasses Jenkins' Content-Security-Policy protection, affecting users who can modify report content. Jenkins administrators and users with report modification privileges are at risk.

📋 TL;DR

The Jenkins Gatling Plugin 136.vb_9009b_3d33a_e has a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into Gatling reports. This bypasses Jenkins' Content-Security-Policy protection, affecting users who can modify report content. Jenkins administrators and users with report modification privileges are at risk.

💻 Affected Systems

Products:

Jenkins Gatling Plugin

Versions: 136.vb_9009b_3d33a_e and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins 1.641/1.625 or later with Content-Security-Policy enabled; exploitation requires user privileges to modify Gatling report content.

📦 What is this software?

Gatling by Jenkins

View all CVEs affecting Gatling →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with report modification privileges could execute arbitrary JavaScript in the context of Jenkins administrators, potentially leading to session hijacking, credential theft, or complete system compromise.

🟠

Likely Case

Authenticated users with report editing capabilities could inject malicious scripts that execute when administrators view reports, leading to session compromise or unauthorized actions.

🟢

If Mitigated

With proper access controls limiting who can modify reports, the impact is reduced to authorized users only, though they could still exploit the vulnerability.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with report modification permissions; the vulnerability is in how reports are served, bypassing CSP protections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Gatling Plugin version 137.vb_9009b_3d33a_e or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-06-06/#SECURITY-3588

Restart Required: Yes

Instructions:

1. Access Jenkins Update Center. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Find Gatling Plugin and update to version 137.vb_9009b_3d33a_e or later. 4. Restart Jenkins after update.

🔧 Temporary Workarounds

Restrict Report Modification Permissions

all

Limit which users can create or modify Gatling reports to reduce attack surface.

Configure Jenkins role-based access control to restrict 'Job/Configure' and 'Job/Build' permissions for Gatling projects

🧯 If You Can't Patch

Disable or uninstall the Gatling Plugin if not required
Implement strict network segmentation to isolate Jenkins from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Gatling Plugin version; if version is 136.vb_9009b_3d33a_e or earlier, the system is vulnerable.

Check Version:

Navigate to Manage Jenkins > Manage Plugins > Installed tab and check Gatling Plugin version

Verify Fix Applied:

Verify Gatling Plugin version is 137.vb_9009b_3d33a_e or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Gatling report files
JavaScript injection patterns in report content

Network Indicators:

Unexpected HTTP requests from Jenkins to external domains triggered by report viewing

SIEM Query:

source="jenkins.log" AND ("Gatling" AND "report") AND ("script" OR "javascript" OR "<script>")

📊 Metadata

CVE ID: CVE-2025-5806

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: June 6, 2025

Last Updated: September 17, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-06-06/#SECURITY-3588 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/06/06/8 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5806, you might also want to check these: