CVE-2025-59475: Missing Permission Check in Jenkins Authenticated User Profile Menu

Introduction

Jenkins is one of the most widely used open-source automation servers, helping teams automate build, test, and deployment processes across thousands of CI/CD pipelines.

However, even mature systems like Jenkins can face subtle yet significant security flaws. A recent issue - CVE-2025-59475 - revealed a missing permission check that allowed authenticated users to view certain configuration details they shouldn’t have access to.

Let’s look at how this vulnerability emerged, what it means for Jenkins administrators, and how it was fixed.

Key Takeaways

• The issue affects Jenkins Core (org.jenkins-ci.main:jenkins-core).
• Vulnerability type: Missing permission check in the user profile dropdown menu.
• It could allow authenticated users to enumerate sensitive configurations (e.g., plugin details).
• Fixed by enforcing permission verification in jumplist.jelly file.
• Recommended action: Upgrade Jenkins to the patched version.

What Is Jenkins Core?

Jenkins Core provides the backbone of Jenkins, including job scheduling, build execution, and UI rendering. It’s the foundation on which all Jenkins operations, plugins, and user interfaces run.

Why Does Jenkins Matter?

This vulnerability matters because permission misconfigurations in Jenkins can lead to information disclosure, giving attackers insights into the system setup, plugins in use, or internal structure - all of which can help in planning further attacks.

The Vulnerability Explained: CVE-2025-59475

At its core, CVE-2025-59475 is a missing permission check vulnerability. It occurs in the authenticated user’s profile dropdown menu - an area that every logged-in user interacts with.

Normally, users without the Overall/Read permission should not be able to access or even see certain system-level configuration details.

But in this case, the Jenkins UI did not validate permissions before rendering certain items in the profile menu.

As a result, unauthorized users could inspect the dropdown menu to infer information like the existence of specific plugins (for example, presence of Credentials Plugin) or configuration features available to higher-privileged users.

Why Is It Vulnerable?

The root cause is the absence of a permission validation check in the Jenkins UI layer. When the profile dropdown was rendered, Jenkins failed to verify whether the authenticated user had the Overall/Read permission.

This oversight let users without the proper privileges enumerate parts of the system simply by inspecting what appeared in their profile menu.

While it might sound minor, such enumeration can reveal valuable data to attackers - especially in enterprise setups where Jenkins manages sensitive pipelines and integrations.

How It Was Fixed

The Jenkins team addressed this vulnerability in this commit-Commit 6bdea9f

The fix involved updating the jumplist.jelly file to enforce permission checks for listing items in the authenticated user profile dropdown.

Now, before any configuration or plugin detail is shown, Jenkins verifies that the user holds the Overall/Readpermission.

This simple yet effective change ensures that only authorized users can view or interact with sensitive menu options.

Recommendation:

All Jenkins users should upgrade to the latest patched version to eliminate this exposure.

Best Practices to Prevent Similar Issues

For vulnerabilities like CVE-2025-59475, which stem from permission-related UI and information leaks, following strict access control and testing practices can prevent recurrence.

1. Enforce Permission Checks Everywhere:
   • Always ensure every feature and UI element performs explicit permission checks before rendering or executing actions.
2. Minimize Information Exposure:
   • Display only what’s necessary. Avoid showing system or plugin details to non-admin users.
3. Use Centralized Access Control:
   • Manage permissions centrally to maintain consistency across the application.
4. Log Unauthorized Access Attempts:
   • Track and investigate any suspicious access attempts to detect potential misuse early.

References and Resources

https://github.com/advisories/GHSA-223m-4rfp-646h

https://nvd.nist.gov/vuln/detail/CVE-2025-59475

https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3625

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-59475

FAQ

Q1. What is CVE-2025-59475?

CVE-2025-59475 is a missing permission check vulnerability in Jenkins Core that allowed authenticated users to view sensitive configuration details via the profile menu.

Q2. How does this vulnerability impact Jenkins users?

It can expose details about installed plugins or configurations, potentially aiding attackers in reconnaissance or privilege escalation.

Q3. How was the vulnerability fixed?

By adding a permission check (Overall/Read) in the Jenkins UI (jumplist.jelly), ensuring unauthorized users can’t access restricted configuration data.

Q4. What should administrators do to stay protected?

Upgrade Jenkins to the patched version and regularly audit permissions and user roles to prevent similar issues.