CVE-2025-31723 — Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)

Description

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

How to fix CVE-2025-31723

To remediate CVE-2025-31723, upgrade the affected package to a fixed version below.

—upgrade to 1.4.7 or later

Is CVE-2025-31723 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.4.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-31723
PATCHgithub.com/jenkinsci/simple-queue-plugin
WEBgithub.com/jenkinsci/simple-queue-plugin/commit/c1094666dcd139830620d6d1c21b13f847601e74
WEBwww.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469