CVE-2025-53651: Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs

July 9, 2025

Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.

HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

References

github.com/advisories/GHSA-367v-5ppj-2hrx
github.com/jenkinsci/htmlpublisher-plugin
nvd.nist.gov/vuln/detail/CVE-2025-53651
www.jenkins.io/security/advisory/2025-07-09/

Code Behaviors & Features

Detect and mitigate CVE-2025-53651 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →