Security Flaw in Jenkins Affects User Redirects
CVE-2025-27625

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 5 March 2025

Summary

In Jenkins versions 2.499 and earlier, as well as LTS 2.492.1 and earlier, an issue arises with redirects that begin with backslash (\) characters. These redirects are incorrectly deemed safe, presenting a security risk. Attackers can exploit this flaw by tricking users into navigating a Jenkins URL that redirects them to a malicious site. This manipulation occurs due to how browsers interpret these characters in scheme-relative redirects, thereby facilitating phishing attempts and endangering user credentials.

Affected Version(s)

Jenkins 2.492.2

Jenkins 2.492.2 < 2.492.*

Jenkins 2.500

References

https://www.jenkins.io/security/advisory/2025-03-05/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2025
Vulnerability Reserved
Mar 4, 2025