Jenkins Log Message Injection Vulnerability CVE-2025-XXXX (Moderate)

Listen to this Post

CVE-2025-XXXX exploits the Jenkins log formatter’s failure to sanitize user-controlled input in log messages. Attackers can inject carriage return (CR) and line feed (LF) characters into log entries. These characters forge new lines in the log output, such as jenkins.log. This allows an attacker to prepend fake, malicious log entries with a forged timestamp onto a legitimate, single log message generated by the system. The log file then contains these deceptive entries interleaved with real ones, potentially misleading administrators during security audits or incident response by obfuscating real attack traces or framing innocent users.
Platform: Jenkins
Version: <2.516.3, 2.517-2.527
Vulnerability: Log Injection
Severity: Moderate

date: 2025-09-17

Prediction: Patch Available

What Undercode Say:

`curl -s “https://api.github.com/repos/jenkinsci/jenkins/tags” | jq ‘.[].name’ | grep -E “2\.(516\.3|528)”`

`grep -n “\[CRLF\]>” /var/log/jenkins/jenkins.log`

How Exploit:

`logger.info(“Legitimate message\u2028[bash] FAKE: User admin executed dangerous script”)`

Protection from this CVE

Update to Jenkins 2.516.3 LTS or 2.528. The patch modifies the log formatter to prefix injected line breaks with an indicator like [bash]>, clearly delineating user-controlled content within a log line.

Impact:

Log Spoofing

Audit Deception

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top