CVE-2025-58458 — Jenkins Git client Plugin file system information disclosure vulnerability

Description

In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

How to fix CVE-2025-58458

To remediate CVE-2025-58458, upgrade the affected package to a fixed version below.

—upgrade to 6.3.3 or later

Is CVE-2025-58458 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-58458
PATCHgithub.com/jenkinsci/git-client-plugin
WEBgithub.com/jenkinsci/git-client-plugin/commit/20090a86c3ebc72e5283c882de73e3a4459137bb
WEBwww.jenkins.io/security/advisory/2025-09-03/#SECURITY-3590