CVE-2025-30196: Jenkins AnchorChain Plugin Has a Cross-Site Scripting (XSS) Vulnerability

March 19, 2025

Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step.

As of publication of this advisory, there is no fix.

References

github.com/advisories/GHSA-xxrg-mg63-qfpj
github.com/jenkinsci/anchor-chain-plugin
nvd.nist.gov/vuln/detail/CVE-2025-30196
www.jenkins.io/security/advisory/2025-03-19/

Detect and mitigate CVE-2025-30196 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →