CVE-2025-32754

Name of the Vulnerable Software and Affected Versions: jenkins/ssh-agent Docker images versions 6.11.1 and earlier

Description: The issue arises from SSH host keys being generated on image creation for images based on Debian, causing all containers based on images of the same version to use the same SSH host keys. This allows attackers who can insert themselves into the network path between the SSH client, typically the Jenkins controller, and the SSH build agent to impersonate the latter.

Recommendations: For versions 6.11.1 and earlier, consider regenerating SSH host keys for each container or updating to a version where this issue is resolved, although the specific fixed version is not provided in the available information. As a temporary workaround, restrict access to the SSH build agent to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.