CVE-2025-67640
📋 TL;DR
This vulnerability in Jenkins Git client Plugin allows attackers who can control workspace directory names to inject arbitrary operating system commands through improper escaping in temporary shell scripts. It affects Jenkins instances using Git client Plugin 6.4.0 or earlier. Attackers could execute commands with the privileges of the Jenkins process.
💻 Affected Systems
- Jenkins Git client Plugin
📦 What is this software?
Git Client by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Limited command execution within Jenkins context, potentially accessing sensitive build artifacts, credentials, or disrupting CI/CD pipelines.
If Mitigated
No impact if workspace directory names are properly controlled and restricted to trusted users only.
🎯 Exploit Status
Exploitation requires ability to set workspace directory names, which typically requires authenticated access to Jenkins.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.1 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3614
Restart Required: Yes
Instructions:
1. Access Jenkins web interface. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab. 4. Search for 'Git client Plugin'. 5. Check 'Git client Plugin' and click 'Install without restart' or 'Download now and install after restart'. 6. Restart Jenkins if required.
🔧 Temporary Workarounds
Restrict workspace directory control
allLimit which users can create or modify workspace directory names to trusted administrators only.
Disable Git client Plugin if unused
allTemporarily disable the plugin if Git functionality is not required.
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'Git client Plugin', click 'Disable'
🧯 If You Can't Patch
- Implement strict access controls on workspace creation and modification
- Monitor Jenkins logs for suspicious workspace directory names containing shell metacharacters
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Git client Plugin version. If version is 6.4.0 or earlier, the system is vulnerable.Check Version:
Access Jenkins web UI > Manage Jenkins > Manage Plugins > Installed tab > Find 'Git client Plugin'Verify Fix Applied:
Verify Git client Plugin version is 6.4.1 or later in Jenkins plugin manager.📡 Detection & Monitoring
Log Indicators:
- Unusual workspace directory names containing shell metacharacters like ;, &, |, $, `, \n
- Unexpected shell command execution in Jenkins logs
Network Indicators:
- Unusual outbound connections from Jenkins server during build processes
SIEM Query:
source="jenkins.log" AND ("workspace" AND ("$" OR ";" OR "&" OR "|" OR "`" OR "\\n"))