CVE-2025-59474 – This vulnerability allows attackers without Ove... (How to Fix)

Q: What is the severity of CVE-2025-59474?

CVE-2025-59474 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows attackers without Overall/Read permission in Jenkins to list agent names through the sidepanel executors widget. It affects Jenkins 2.527 and earlier, and LTS 2.516.2 and earlier. The issue occurs due to missing permission checks in a page component accessible to unauthorized users.

📋 TL;DR

This vulnerability allows attackers without Overall/Read permission in Jenkins to list agent names through the sidepanel executors widget. It affects Jenkins 2.527 and earlier, and LTS 2.516.2 and earlier. The issue occurs due to missing permission checks in a page component accessible to unauthorized users.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.527 and earlier, Jenkins LTS 2.516.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations within the vulnerable version range regardless of configuration.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate all Jenkins agent names, potentially identifying build infrastructure for targeted attacks or reconnaissance.

🟠

Likely Case

Unauthorized users gain visibility into Jenkins agent infrastructure, enabling information gathering for further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to internal reconnaissance only.

🌐 Internet-Facing: MEDIUM - If Jenkins is exposed to the internet, attackers could enumerate agents without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could gather infrastructure information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires some Jenkins user access (but not Overall/Read permission). Exploitation involves accessing specific UI components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.528, Jenkins LTS 2.516.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3594

Restart Required: No

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.528 or Jenkins LTS 2.516.3. 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict access to Jenkins UI

all

Limit network access to Jenkins web interface to authorized users only.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins from untrusted networks
Review and tighten user permissions to minimize accounts with any Jenkins access

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI: java -jar jenkins.war --version

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.528 or higher (or LTS 2.516.3 or higher) and test that unauthorized users cannot view agent names in sidepanel.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Jenkins UI from unauthorized users
Multiple requests to sidepanel endpoints from low-privilege accounts

Network Indicators:

Traffic to Jenkins web interface from unexpected sources

SIEM Query:

source="jenkins.log" AND (uri="/sidepanel/" OR uri="/executors/") AND user!="admin"

📊 Metadata

CVE ID: CVE-2025-59474

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.15% exploit probability (36.2th percentile)

Published: September 17, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59474, you might also want to check these: