CVE-2025-67641
📋 TL;DR
This stored XSS vulnerability in Jenkins Coverage Plugin allows attackers with Item/Configure permission to inject malicious JavaScript via the REST API using javascript: scheme URLs as coverage results identifiers. The vulnerability affects Jenkins instances using the Coverage Plugin, potentially enabling session hijacking, credential theft, or administrative actions. Only users with Item/Configure permission can exploit this vulnerability.
💻 Affected Systems
- Jenkins Coverage Plugin
📦 What is this software?
Coverage by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, install backdoors, or perform destructive actions on the Jenkins instance and connected systems.
Likely Case
Attackers with Item/Configure permission could steal session cookies, redirect users to malicious sites, or perform limited administrative actions within the Jenkins interface.
If Mitigated
With proper access controls limiting Item/Configure permissions to trusted users only, the attack surface is significantly reduced to authorized personnel.
🎯 Exploit Status
Exploitation requires Item/Configure permission and access to Jenkins REST API. The vulnerability is specifically in API validation bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3054.ve1ff7b_a_a_123c or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3611
Restart Required: Yes
Instructions:
1. Update Jenkins Coverage Plugin to version 2.3054.ve1ff7b_a_a_123c or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version in Manage Jenkins > Manage Plugins.
🔧 Temporary Workarounds
Restrict Item/Configure Permissions
allLimit Item/Configure permissions to only trusted administrators to reduce attack surface.
Disable Coverage Plugin
allTemporarily disable the Coverage Plugin if not essential for operations.
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find Coverage Plugin and click Disable
🧯 If You Can't Patch
- Implement strict access controls to limit Item/Configure permissions to minimal trusted users only.
- Monitor Jenkins REST API logs for suspicious coverage identifier configurations containing javascript: scheme URLs.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Coverage Plugin version in Manage Jenkins > Manage Plugins > Installed tab. If version is 2.3054.ve1ff7b_a_a_123b or earlier, the system is vulnerable.Check Version:
Check Jenkins web interface at Manage Jenkins > Manage Plugins > Installed tab, or examine $JENKINS_HOME/plugins/coverage.jpi/META-INF/MANIFEST.MFVerify Fix Applied:
Verify Coverage Plugin version is 2.3054.ve1ff7b_a_a_123c or later in Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- REST API calls configuring coverage results with javascript: scheme identifiers
- Unusual coverage identifier patterns in job configurations
Network Indicators:
- HTTP POST requests to Jenkins REST API with coverage identifier parameters containing javascript: scheme
SIEM Query:
source="jenkins" AND (uri_path="/job/*/configSubmit" OR uri_path="/createItem") AND (param="coverage.id" OR param="coverage.identifier") AND value CONTAINS "javascript:"