A recently unearthed vulnerability in Jenkins Docker images has sparked major concerns in the realm of network security. The vulnerability stems from the reuse of SSH host keys, a critical flaw that could potentially enable attackers to impersonate Jenkins build agents and intercept sensitive network traffic. This discovery has put a spotlight on the importance of diligently maintaining and updating containerized environments to mitigate the risk of security breaches.
The crux of the issue lies in how SSH host keys are automatically generated during the creation of Debian-based Jenkins Docker images, specifically the jenkins/ssh-agent and jenkins/ssh-slave variants. Containers built from the same image version share identical SSH host keys, providing a loophole for attackers capable of intercepting communication between a Jenkins controller and a build agent to exploit. This vulnerability opens the door for malicious actors to hijack sensitive traffic and compromise network security.
In response to this critical security flaw, the Jenkins team has disclosed two vulnerabilities in its security advisory. The first vulnerability, identified under CVE-2025-32754, affects jenkins/ssh-agent Docker images and allows attackers to impersonate build agents and intercept network traffic. The second vulnerability, marked as CVE-2025-32755, targets deprecated jenkins/ssh-slave images, presenting the same security risk as CVE-2025-32754 but specific to older, unsupported image versions.
The affected image variants include jenkins/ssh-agent images prior to 2025-04-10 that do not specify an operating system or are based on Debian versions Stretch, Bullseye, or Bookworm. In the case of deprecated jenkins/ssh-slave images, tags such as latest, jdk11, latest-jdk11, and revert-22-jdk11-JENKINS-52279 are impacted. Conversely, images based on Alpine, NanoServer, or Windows are deemed unaffected by this vulnerability.
To address this critical security issue, the Jenkins project has released an updated version of the jenkins/ssh-agent image (version 6.11.2) that remedies the problem by deleting pre-generated SSH host keys during image creation. New host keys will be generated upon the initial container startup, mitigating the risk of attackers exploiting the vulnerability. Users of jenkins/ssh-agent Docker images are strongly encouraged to promptly update to the latest secure version to safeguard their deployments.
For users relying on deprecated jenkins/ssh-slave images, no fixes will be provided, and migration to the updated jenkins/ssh-agent image is recommended for continued security support and maintenance. The Jenkins team extends its appreciation to security researcher Abhishek Reddypalle for identifying and reporting these vulnerabilities, further enhancing the platform’s security measures.
In light of this security breach, administrators are advised to proactively update their Jenkins deployments to the latest secure versions. Organizations utilizing deprecated configurations should prioritize transitioning to more up-to-date solutions to ensure robust security protocols are in place. This incident underscores the critical importance of maintaining and updating containerized environments to prevent potential vulnerabilities from being exploited by malicious entities.
Stay informed with the latest developments by following us on Google News, LinkedIn, and X to receive instant updates on cybersecurity news and best practices.