CVE-2025-31725: Jenkins monitor-remote-job Plugin Stores Passwords Unencrypted

April 2, 2025

Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

References

github.com/advisories/GHSA-g65g-fmcp-4w68
github.com/jenkinsci/monitor-remote-job-plugin
nvd.nist.gov/vuln/detail/CVE-2025-31725
www.jenkins.io/security/advisory/2025-04-02/

Code Behaviors & Features

Detect and mitigate CVE-2025-31725 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →