CVE-2025-58458: Jenkins Git client Plugin file system information disclosure vulnerability

September 3, 2025 (updated November 5, 2025)

In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying amazon-s3 protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

References

github.com/advisories/GHSA-g2pq-9jr7-w6gv
github.com/jenkinsci/git-client-plugin
github.com/jenkinsci/git-client-plugin/commit/20090a86c3ebc72e5283c882de73e3a4459137bb
nvd.nist.gov/vuln/detail/CVE-2025-58458
www.jenkins.io/security/advisory/2025-09-03/

Code Behaviors & Features

Detect and mitigate CVE-2025-58458 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →