Listen to this Post
How the CVE Works
CVE-2025-27624 is a CSRF vulnerability in Jenkins versions 2.499 and earlier (including LTS 2.492.1 and earlier). Attackers can craft malicious requests that, when executed by an authenticated user, toggle the collapsed/expanded state of sidepanel widgets (e.g., Build Queue, Build Executor Status). This occurs due to missing CSRF protections in the widget state-toggling endpoint, allowing unauthorized state changes via forged requests. While low-risk, it could disrupt user interface preferences.
DailyCVE Form
Platform: Jenkins
Version: ≤2.499 / ≤2.492.1 (LTS)
Vulnerability: CSRF
Severity: Low
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Analytics
curl -s "https://api.nvd.nist.gov/vuln/detail/CVE-2025-27624" | jq '.impact' nmap -p 8080 --script jenkins-csrf <target>
Exploit
POST /ajaxBuildQueue/toggleCollapse HTTP/1.1 Host: <jenkins-server> Cookie: JSESSIONID=<stolen-cookie>
Protection from this CVE
add_header X-Frame-Options DENY; add_header Content-Security-Policy "frame-ancestors 'none'";
Impact
UI disruption, forced widget state changes.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
