logo

Database

Cross-site request forgery In org.jenkins-ci.main:jenkins-core

Description

Jenkins cross-site request forgery (CSRF) vulnerability Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets.

Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins.

Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-276242. NVD-2025-276243. OSV-2025-276244. GCVE-2025-27624

References

1. https://github.com/jenkinsci/jenkins/commit/84ef1a4d4db17d0ce66522d0141f6e52e2a4c97c2. https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.