CVE-2025-47885 Overview
CVE-2025-47885 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Health Advisor by CloudBees Plugin, version 374.v194b_d4f0c8c8 and earlier. The plugin fails to escape responses received from the Jenkins Health Advisor server before rendering them in the Jenkins web interface. Attackers who can control or tamper with Jenkins Health Advisor server responses can inject arbitrary JavaScript that executes in the browser context of any Jenkins user viewing the affected pages. The flaw is tracked under Jenkins Security Advisory SECURITY-3559 and is classified as [CWE-79].
Critical Impact
Successful exploitation enables script execution in authenticated Jenkins user sessions, including administrators, leading to potential session hijacking and CI/CD pipeline compromise.
Affected Products
- Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier
- Jenkins controllers with the plugin installed and enabled
- CI/CD environments relying on Health Advisor diagnostic feedback
Discovery Timeline
- 2025-05-14 - Jenkins publishes Security Advisory SECURITY-3559
- 2025-05-14 - CVE-2025-47885 published to NVD
- 2025-06-12 - Last updated in NVD database
Technical Details for CVE-2025-47885
Vulnerability Analysis
The Jenkins Health Advisor by CloudBees Plugin retrieves advisory and diagnostic content from the upstream Jenkins Health Advisor service. The plugin renders that content in the Jenkins UI without applying HTML escaping. When the response contains attacker-controlled HTML or JavaScript, the browser parses and executes it within the Jenkins origin.
The injected payload runs in the security context of the authenticated user viewing the page. An attacker can read CSRF tokens, issue authenticated API calls, modify job configurations, or pivot to remote code execution by abusing administrator privileges. Because the unescaped content is persisted and re-displayed across sessions, the issue qualifies as stored XSS rather than reflected.
Exploitation requires user interaction, since a Jenkins user must navigate to a page that displays the unsafe Health Advisor response. The attack vector is network-based, and no authentication is required from the attacker controlling the upstream response.
Root Cause
The root cause is missing output encoding [CWE-79]. The plugin trusts the Health Advisor server response and inserts it into the DOM verbatim. Standard Jenkins UI escaping helpers such as Jelly's ${...} expression with default escaping or h.xmlEscape() were not applied to the externally sourced content.
Attack Vector
An attacker capable of controlling responses from the Jenkins Health Advisor server, through compromise of that service, DNS hijacking, TLS interception, or a malicious proxy positioned between Jenkins and the Health Advisor endpoint, can inject malicious markup. The payload is stored by the plugin and rendered when Jenkins users view advisor output. The vulnerability mechanism is described in the Jenkins Security Advisory SECURITY-3559; no public proof-of-concept code is available.
// No verified exploit code is publicly available.
// The flaw stems from rendering unescaped server responses such as:
// <div>{healthAdvisorResponse}</div>
// where healthAdvisorResponse may contain <script> or event-handler payloads.
Detection Methods for CVE-2025-47885
Indicators of Compromise
- Unexpected <script> tags, onerror, or onload attributes appearing in Jenkins Health Advisor report pages.
- Outbound network requests from Jenkins user browsers to unfamiliar domains shortly after viewing advisor pages.
- Health Advisor responses returning non-standard HTML payloads or unusually large response bodies.
Detection Strategies
- Inspect HTTP responses from the Jenkins Health Advisor server for HTML or JavaScript content that should not appear in legitimate advisory data.
- Review Jenkins audit logs for unexpected configuration changes, new administrator accounts, or job modifications correlated with advisor page access.
- Monitor TLS certificate validity and DNS resolution for the Health Advisor endpoint to detect interception attempts.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting in Jenkins to flag inline script execution from unexpected sources.
- Forward Jenkins access and audit logs to a SIEM such as Singularity Data Lake & AI SIEM for correlation across CI/CD telemetry.
- Alert on plugin versions reported by the Jenkins update center matching 374.v194b_d4f0c8c8 or earlier.
How to Mitigate CVE-2025-47885
Immediate Actions Required
- Upgrade the Jenkins Health Advisor by CloudBees Plugin to a version newer than 374.v194b_d4f0c8c8 as published in Jenkins Security Advisory SECURITY-3559.
- Inventory Jenkins controllers across the organization to identify installations running the vulnerable plugin version.
- Restrict access to Jenkins controllers to trusted networks and authenticated users while patching is in progress.
Patch Information
The Jenkins project addressed this issue in the security release published on 2025-05-14. Administrators should apply the fixed plugin version through the Jenkins Update Center. Refer to the Jenkins Security Advisory SECURITY-3559 for the specific fixed version and remediation guidance.
Workarounds
- Disable or uninstall the Health Advisor by CloudBees Plugin if upgrading is not immediately feasible.
- Block outbound network access from the Jenkins controller to the Health Advisor service to prevent retrieval of untrusted responses.
- Enforce strict TLS validation and pin the Health Advisor endpoint to prevent man-in-the-middle interception of plugin traffic.
# Example: list installed plugin version using the Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
list-plugins | grep -i "cloudbees-jenkins-advisor"
# Disable the plugin pending upgrade
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
disable-plugin cloudbees-jenkins-advisor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
