CVE-2025-67637
Jenkins's build authorization token is stored and displayed in plain text
4.3
MEDIUM
CVSS 3.1
EPSS 0.08%
Description
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
How to fix CVE-2025-67637
To remediate CVE-2025-67637, upgrade the affected package to a fixed version below.
- —upgrade to 2.528.3 or later
- —upgrade to 2.541 or later
Is CVE-2025-67637 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.528.3, >= 2.529.0, < 2.541.0
- >= 2.529, < 2.541
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |