CVE-2025-27622: Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

March 6, 2025

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI.

This allows attackers with Agent/Extended Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent config.xml accessed via REST API or CLI for users lacking Agent/Configure permission.

References

github.com/advisories/GHSA-p34j-r3ch-c985
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d5
nvd.nist.gov/vuln/detail/CVE-2025-27622
www.jenkins.io/security/advisory/2025-03-05/

Detect and mitigate CVE-2025-27622 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →