CVE-2025-67638 – Jenkins versions 2.540 and earlier (including L... (How to Fix)

Q: What is the severity of CVE-2025-67638?

CVE-2025-67638 has a CVSS score of 4.3 (MEDIUM). Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) expose build authorization tokens in plain text on job configuration forms. This allows attackers with access to these forms to capture tokens and potentially trigger unauthorized builds. Only Jenkins administrators and users with configuration permissions are affected.

📋 TL;DR

Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) expose build authorization tokens in plain text on job configuration forms. This allows attackers with access to these forms to capture tokens and potentially trigger unauthorized builds. Only Jenkins administrators and users with configuration permissions are affected.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.540 and earlier, Jenkins LTS 2.528.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with access to job configuration forms. Build tokens are exposed in plain text on these forms.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture build tokens and trigger malicious builds that could execute arbitrary code, exfiltrate sensitive data, or disrupt CI/CD pipelines.

🟠

Likely Case

Attackers with access to job configuration pages capture tokens and trigger unauthorized builds, potentially causing resource exhaustion or pipeline disruption.

🟢

If Mitigated

With proper access controls, only authorized users can view configuration pages, limiting exposure to internal threats.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to job configuration pages. Attackers can simply view the exposed tokens on these forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.541, Jenkins LTS 2.528.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.541 or Jenkins LTS 2.528.3. 3. Restart Jenkins. 4. Verify the fix by checking that build tokens are now masked on job configuration forms.

🔧 Temporary Workarounds

Restrict access to job configuration

all

Limit access to job configuration pages to only trusted administrators using Jenkins' Role-Based Authorization Strategy plugin.

Use alternative authentication methods

all

Replace build authorization tokens with other authentication methods like SSH keys or API tokens where possible.

🧯 If You Can't Patch

Implement strict access controls to limit who can view job configuration pages.
Regularly rotate build authorization tokens to limit exposure window.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins. If version is 2.540 or earlier (or LTS 2.528.2 or earlier), the system is vulnerable.

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

After patching, verify that build tokens are masked (displayed as asterisks) on job configuration forms.

📡 Detection & Monitoring

Log Indicators:

Unauthorized build triggers using captured tokens
Multiple failed build attempts from unusual sources

Network Indicators:

Unusual build trigger patterns
Build requests from unexpected IP addresses

SIEM Query:

source="jenkins" AND (event="BUILD_TRIGGERED" OR event="BUILD_STARTED") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2025-67638

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-312

EPSS Score: 0.03% exploit probability (7.9th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67638, you might also want to check these: