PT-2025-9862 · Jenkins+1 · Jenkins+1

Xbow

Published

2025-03-05

Updated

2025-06-24

CVE-2025-27625

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.499 and earlier, LTS 2.492.1 and earlier

Description The issue allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site. This is because browsers interpret backslash (``) characters as part of scheme-relative redirects, and in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with these characters are considered safe.

Recommendations For Jenkins versions 2.499 and earlier, update to version 2.500 or later. For Jenkins LTS 2.492.1 and earlier, update to LTS 2.492.2 or later. As a temporary workaround, consider restricting access to URLs starting with backslash (``) characters to minimize the risk of exploitation.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

BDU:2025-04959

BIT-JENKINS-2025-27625

CVE-2025-27625

GHSA-8HMV-92WM-39CH

Affected Products

Jenkins

Red Os

PT-2025-9862 · Jenkins+1 · Jenkins+1

CVE-2025-27625

Weakness Enumeration

Related Identifiers

Affected Products

References · 15