Jenkins Gatling Plugin, Cross-Site Scripting (XSS), CVE-2025-XXXXX (High)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works:

The Jenkins Gatling Plugin (v136.vb_9009b_3d33a_e) fails to properly enforce Content-Security-Policy (CSP) headers when rendering Gatling performance reports. Attackers with permissions to modify report content can inject malicious JavaScript payloads. Since CSP bypass allows script execution, stored XSS triggers when administrators or users view the compromised report, leading to session hijacking, privilege escalation, or malware delivery.

DailyCVE Form:

Platform: Jenkins Gatling Plugin
Version: 136.vb_9009b_3d33a_e
Vulnerability: Stored XSS
Severity: High
Date: Jun 9, 2025

Prediction: Patch by Jul 15, 2025

What Undercode Say:

Exploitation:

1. Payload Injection:

<script>alert(document.cookie)</script>

Embedded in Gatling report files.

2. Trigger XSS:

Admin views report → payload executes.

Detection:

grep -r "CSP" /var/lib/jenkins/plugins/gatling

Mitigation:

1. Temporary Fix:

Disable plugin until patch:

java -jar jenkins-cli.jar disable-plugin gatling

2. CSP Enforcement:

Add to `jenkins.xml`:

<arguments>--csp="default-src 'self'; script-src 'unsafe-inline'"</arguments>

3. Patch Monitoring:

curl -s https://updates.jenkins.io/plugin/gatling/ | grep "Fixed"

Impact Analysis:

• Affected Systems: Jenkins instances with Gatling Plugin ≤ v136.
• Attack Vector: Authenticated users with report-write access.
• CVSS: 8.1 (High)

Log Monitoring:

tail -f /var/log/jenkins/access.log | grep "gatling/report"

References:

• NVD Entry
• Jenkins Advisory

No further commentary provided.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram