CVE-2025-27624

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets. Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins. Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.

Affected packages (2)

• Bitnami/jenkins>= 2.493.0, < 2.504.1
• Maven/org.jenkins-ci.main:jenkins-core>= 2.493, < 2.500

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-27624
• PATCHhttps://github.com/jenkinsci/jenkins
• WEBhttps://github.com/jenkinsci/jenkins/commit/84ef1a4d4db17d0ce66522d0141f6e52e2a4c97c
• WEBhttps://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498