CVE-2025-47888 — Jenkins DingTalk Plugin Unconditionally Disables SSL/TLS Certificate and Hostnam

Description

Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.

How to fix CVE-2025-47888

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-47888 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.7.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47888
PATCHgithub.com/jenkinsci/dingtalk-plugin
WEBwww.jenkins.io/security/advisory/2025-05-14/#SECURITY-3353