CVE-2025-67638 - Jenkins Authorization Token Leak

Threat Intelligence

Low Risk

EPSS Score: 0.02% chance of exploitation (percentile: 4%)

🔍 Detection Tools: None available in major open-source tools

⚔️ Exploit Availability: No public exploits found

What is it?

Jenkins is a popular open-source automation server used for building, testing, and deploying software projects. The vulnerability in question allows attackers to observe and capture build authorization tokens displayed on the job configuration form, increasing the potential for unauthorized access.

Am I affected?

Affected versions: 2.528.2, 2.540 If you don't recognise this software, you're probably not affected.

Affected Packages

maven: org.jenkinsci.plugins:authorization-plugin

Affected Products

Jenkins Software Foundation / Jenkins

How to fix

To fix this issue:

Upgrade to Jenkins 2.540 or later.
- Maven: Update your pom.xml dependency version to org.jenkinsci.plugins:authorization-plugin:2.540
- npm: No patch available; consider upgrading
- pypi: No patch available; consider upgrading
- go: No patch available; consider upgrading
- nuget: No patch available; consider upgrading
- cargo: No patch available; consider upgrading
Immediate mitigations:
- Restrict network access to your Jenkins instance (firewall it from the public internet)
- Audit job configuration files for suspicious token patterns

References

www.jenkins.io