CVE-2025-53651 — Jenkins HTML Publisher Plugin vulnerability displays controller file system info

Description

Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

How to fix CVE-2025-53651

To remediate CVE-2025-53651, upgrade the affected package to a fixed version below.

—upgrade to 427 or later

Is CVE-2025-53651 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 427

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53651
PATCHgithub.com/jenkinsci/htmlpublisher-plugin
WEBwww.jenkins.io/security/advisory/2025-07-09/#SECURITY-3547
WEBwww.openwall.com/lists/oss-security/2025/07/09/4