SSH Host Key Vulnerability in Jenkins Docker Images by Jenkins
CVE-2025-32755

9.1CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Jenkins/ssh-slave Docker Images
Vendor: CVE Published:; 10 April 2025

What is CVE-2025-32755?

In Jenkins/SSH-Slave Docker images built on Debian, the SSH host keys are generated at the time of image creation. This results in all containers derived from these images sharing the same SSH host keys. As a consequence, an attacker with access to the network can position themselves between the SSH client (usually the Jenkins controller) and the SSH build agent, enabling them to impersonate the build agent, potentially leading to unauthorized access and control.

Affected Version(s)

Jenkins jenkins/ssh-slave Docker images alpine

References

https://www.jenkins.io/security/advisory/2025-04-10/#SECU...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Apr 10, 2025