CVE-2025-32754 Overview
CVE-2025-32754 is a critical cryptographic vulnerability in Jenkins SSH-Agent Docker images version 6.11.1 and earlier. The vulnerability exists because SSH host keys are generated during the Docker image creation process rather than at container runtime. This design flaw causes all containers based on images of the same version to share identical SSH host keys, enabling man-in-the-middle attacks against Jenkins CI/CD infrastructure.
Critical Impact
Attackers positioned in the network path between Jenkins controllers and SSH build agents can impersonate build agents, potentially compromising build pipelines, injecting malicious code, or stealing sensitive credentials and artifacts.
Affected Products
- Jenkins SSH-Agent Docker images version 6.11.1 and earlier
- Debian-based Jenkins SSH-Agent container images
- Jenkins CI/CD environments using containerized SSH build agents
Discovery Timeline
- 2025-04-10 - CVE-2025-32754 published to NVD
- 2025-04-10 - Jenkins releases security advisory SECURITY-3565
- 2025-05-02 - Last updated in NVD database
Technical Details for CVE-2025-32754
Vulnerability Analysis
This vulnerability falls under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator), though the core issue is more accurately described as improper key management during container image builds. In Jenkins SSH-Agent Docker images based on Debian, SSH host keys are generated once during the docker build process and baked into the resulting image layer. Every container instantiated from that image inherits these identical host keys.
SSH host keys serve as the cryptographic identity of an SSH server, allowing clients to verify they are connecting to the expected server. When multiple containers share the same host keys, an attacker who obtains these keys—or simply positions themselves to intercept network traffic—can impersonate any SSH build agent to the Jenkins controller. The attack does not require prior authentication, can be executed over the network, and compromises both confidentiality and integrity of the CI/CD pipeline communications.
Root Cause
The root cause is the timing of SSH host key generation in the Docker image build process. Standard SSH server installation procedures generate host keys at package installation time. When this occurs during docker build, the keys become static artifacts embedded in the image. The fix requires deferring key generation to container startup (runtime) so each container instance generates its own unique cryptographic identity.
Attack Vector
The attack requires network positioning between the Jenkins controller (SSH client) and the SSH build agent containers. An attacker with this position can:
- Intercept the SSH connection initiation from the Jenkins controller
- Present the known (shared) SSH host key to satisfy any host key verification
- Establish a separate connection to the legitimate build agent
- Relay, modify, or inject commands and data between both parties
This man-in-the-middle position allows attackers to steal credentials, modify build artifacts, inject malicious code into software builds, or exfiltrate sensitive source code and secrets. Since Jenkins pipelines often have elevated privileges and access to production deployment credentials, the impact extends well beyond the immediate CI/CD environment.
Detection Methods for CVE-2025-32754
Indicators of Compromise
- Multiple Jenkins SSH-Agent containers presenting identical SSH host key fingerprints
- Unexpected SSH connection terminations or re-negotiations during build agent communications
- Network traffic anomalies between Jenkins controllers and build agent subnets
- SSH host key fingerprint mismatches reported by Jenkins controller logs
Detection Strategies
- Inventory all running Jenkins SSH-Agent containers and compare SSH host key fingerprints across instances
- Monitor for SSH connections originating from unexpected network segments toward build agents
- Implement network segmentation monitoring to detect unauthorized man-in-the-middle positions
- Review Jenkins controller logs for SSH authentication anomalies or host key warnings
Monitoring Recommendations
- Deploy network intrusion detection to identify ARP spoofing or other MITM techniques
- Enable verbose SSH logging on Jenkins controllers to capture host key verification events
- Implement container image version tracking to identify vulnerable jenkins/ssh-agent deployments
- Use SentinelOne Singularity for containerized workloads to monitor for suspicious network behavior
How to Mitigate CVE-2025-32754
Immediate Actions Required
- Upgrade Jenkins SSH-Agent Docker images to version 6.11.2 or later immediately
- Regenerate all SSH host keys on existing build agent containers before upgrading
- Audit network architecture to minimize exposure of build agent traffic to untrusted network segments
- Rotate any credentials or secrets that may have traversed affected SSH connections
Patch Information
Jenkins has released version 6.11.2 of the SSH-Agent Docker images which addresses this vulnerability by generating SSH host keys at container startup rather than during image build. Refer to the Jenkins Security Advisory SECURITY-3565 for complete details and upgrade instructions.
Workarounds
- Remove pre-generated SSH host keys from custom images and regenerate them in container entrypoint scripts
- Implement strict network segmentation isolating Jenkins controllers and build agents from untrusted network segments
- Use TLS/VPN tunneling for all Jenkins controller to build agent communications as an additional layer
- Consider alternative build agent connection methods that do not rely on SSH host key verification
# Container entrypoint workaround - regenerate SSH host keys at startup
#!/bin/bash
# Remove existing host keys and regenerate
rm -f /etc/ssh/ssh_host_*
ssh-keygen -A
# Start SSH daemon
exec /usr/sbin/sshd -D
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
