Critical Vulnerability Discovered in Jenkins Docker Images: Hackers Can Hijack Network Connections!

On April 10, 2025, the Jenkins team disclosed a newly discovered vulnerability posing a serious threat to CI/CD (Continuous Integration / Continuous Deployment) processes in thousands of organizations worldwide.

This vulnerability was found in the management of SSH host keys within widely used Jenkins Docker images. It allows attackers to perform man-in-the-middle (MITM) attacks between the Jenkins controller and build agents by intercepting their network communication.

These vulnerabilities have been assigned the following CVE identifiers: CVE-2025-32754 and CVE-2025-32755. They affect the following Jenkins Docker images:

CVE-2025-32754

This vulnerability affects Jenkins Docker images using the ssh-agent component based on Debian OS, up to version 6.11.1.

By exploiting this flaw, attackers intercepting network traffic between the Jenkins controller and SSH build agents could:

  • Capture sensitive data;
  • Gain unauthorized access;
  • Steal confidential information;
  • Manipulate or control build processes.

This vulnerability is rated as Critical with a CVSS 3.1 score of 9.1.

CVE-2025-32755

This vulnerability was discovered in deprecated Jenkins images using the ssh-slave component based on Debian. All versions of these images are vulnerable.

Similar to CVE-2025-32754, exploitation allows attackers to:

  • Intercept or alter network traffic;
  • Steal authentication credentials and other sensitive data;
  • Inject malicious code into the build process;
  • Gain control over CI/CD pipelines.

This vulnerability is also rated Critical with a CVSS 3.1 score of 9.1.

Root Cause of the Vulnerability

The root of the problem lies in the fact that during the build phase of Debian-based Jenkins Docker images, SSH host keys were generated — instead of generating them dynamically during container startup.

As a result, all containers created from the same image shared identical SSH host keys, violating fundamental SSH security principles where each server or agent must have unique keys.

This flaw enables attackers performing MITM attacks between Jenkins controllers and agents to:

  • Hijack build processes;
  • Steal sensitive data and access keys;
  • Inject malicious code into builds;
  • Conduct supply chain attacks.

Vulnerable Jenkins Images:

jenkins/ssh-agent (Debian-based):

  • All versions up to and including 6.11.1;
  • Debian, Stretch, Bullseye, or Bookworm variants.

jenkins/ssh-slave (Deprecated, no longer maintained):

  • latest, jdk11, latest-jdk11, revert-22-jdk11-JENKINS-52279.

Note: Jenkins Docker images based on Alpine, Windows, or Nanoserver are not affected.

Solution

The Jenkins team has released new Docker image version 6.11.2, where SSH host keys are generated automatically during the first container startup, not during image build time. This ensures each container has unique keys, preventing MITM attacks.

Recommendations

Organizations using Jenkins Docker images should:

  1. Immediately update jenkins/ssh-agent images to version 6.11.2 or later.
  2. Migrate away from deprecated jenkins/ssh-slave images to jenkins/ssh-agent.
  3. Verify the version of the Docker images in use and update if necessary.
  4. Ensure SSH host keys are unique for every build agent.
  5. Strengthen network infrastructure security.
  6. Monitor and secure CI/CD pipeline processes.

This incident once again highlights the importance of regularly updating systems and reacting swiftly to newly discovered vulnerabilities — even in the most trusted development and automation tools.