CVE-2025-27624: Jenkins cross-site request forgery (CSRF) vulnerability

March 6, 2025

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets.

Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins.

Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.

References

github.com/advisories/GHSA-7g95-jmg9-h524
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/84ef1a4d4db17d0ce66522d0141f6e52e2a4c97c
nvd.nist.gov/vuln/detail/CVE-2025-27624
www.jenkins.io/security/advisory/2025-03-05/

Detect and mitigate CVE-2025-27624 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →