CVE-2025-67639 – A CSRF vulnerability in Jenkins allows attacker... (How to Fix)

Q: What is the severity of CVE-2025-67639?

CVE-2025-67639 has a CVSS score of 3.5 (LOW). A CSRF vulnerability in Jenkins allows attackers to trick authenticated users into logging into the attacker's Jenkins account. This affects Jenkins 2.540 and earlier, and Jenkins LTS 2.528.2 and earlier. Users with Jenkins accounts who visit malicious websites while authenticated to Jenkins are vulnerable.

📋 TL;DR

A CSRF vulnerability in Jenkins allows attackers to trick authenticated users into logging into the attacker's Jenkins account. This affects Jenkins 2.540 and earlier, and Jenkins LTS 2.528.2 and earlier. Users with Jenkins accounts who visit malicious websites while authenticated to Jenkins are vulnerable.

💻 Affected Systems

Products:

Jenkins
Jenkins LTS

Versions: Jenkins 2.540 and earlier, Jenkins LTS 2.528.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable unless CSRF protections are specifically configured.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to user's Jenkins session, potentially performing actions as the user including modifying jobs, accessing credentials, or escalating privileges.

🟠

Likely Case

User inadvertently logs into attacker's Jenkins account, exposing their Jenkins session to the attacker who can perform limited actions depending on the attacker's account permissions.

🟢

If Mitigated

No impact if CSRF protections are enabled or users don't visit malicious sites while authenticated.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content while authenticated, but internet-facing Jenkins instances increase attack surface.

🏢 Internal Only: LOW - Requires internal attacker or compromised internal system to host malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with malicious web content while authenticated to Jenkins.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.541, Jenkins LTS 2.528.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.541 or Jenkins LTS 2.528.3. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Configure Jenkins to use CSRF protection tokens

Configure 'Prevent Cross Site Request Forgery exploits' in Jenkins security settings

Restrict Jenkins Access

all

Limit Jenkins access to trusted networks only

Configure firewall rules to restrict Jenkins port access

🧯 If You Can't Patch

Implement network segmentation to restrict Jenkins access to trusted users only
Educate users about phishing risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version in Manage Jenkins > About Jenkins

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.541 or higher for Jenkins, or 2.528.3 or higher for Jenkins LTS

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from same IP
Unusual user agent strings in access logs

Network Indicators:

HTTP POST requests to /j_spring_security_check with suspicious referrers

SIEM Query:

source="jenkins.log" AND "POST /j_spring_security_check" AND referer NOT CONTAINS "your-jenkins-domain"

📊 Metadata

CVE ID: CVE-2025-67639

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-352

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67639, you might also want to check these: