A critical cross-site scripting (XSS) vulnerability in the popular Jenkins Gatling Plugin allows attackers to bypass Content-Security-Policy (CSP) protections. The vulnerability, tracked as CVE-2025-5806, affects Gatling Plugin version 136.vb_9009b_3d33a_e and poses significant risks to Jenkins environments utilizing this performance testing integration tool. The exploitation of this vulnerability requires users with the ability to modify Gatling report content, which typically includes developers, QA engineers, and system administrators with appropriate Jenkins permissions. Once exploited, attackers can execute arbitrary JavaScript code within the context of the Jenkins application, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The high CVSS severity rating assigned to this vulnerability reflects its potential for significant impact on Jenkins’ infrastructure.
Source: https://cybersecuritynews.com/jenkins-gatling-plugin-vulnerability/
TPRM report: https://scoringcyber.rankiteo.com/company/jenkinsio
"id": "jen302060925",
"linkid": "jenkinsio",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Software Development',
'name': 'Jenkins',
'type': 'CI/CD tool'}],
'attack_vector': 'User-controlled content within Gatling reports',
'description': 'A critical cross-site scripting (XSS) vulnerability in the '
'popular Jenkins Gatling Plugin allows attackers to bypass '
'Content-Security-Policy (CSP) protections. The vulnerability, '
'tracked as CVE-2025-5806, affects Gatling Plugin version '
'136.vb_9009b_3d33a_e and poses significant risks to Jenkins '
'environments utilizing this performance testing integration '
'tool.',
'impact': {'data_compromised': 'Sensitive build information, Jenkins '
'configurations, deployment pipelines',
'operational_impact': 'Potential cascading effects across entire '
'development and deployment workflows',
'systems_affected': 'Jenkins environments'},
'initial_access_broker': {'entry_point': 'Gatling report content modification',
'high_value_targets': 'Jenkins configurations, '
'build information, '
'deployment pipelines'},
'motivation': 'Session hijacking, credential theft, unauthorized '
'administrative actions',
'post_incident_analysis': {'root_causes': 'Improper implementation of '
'Content-Security-Policy '
'restrictions'},
'recommendations': 'Downgrade to Gatling Plugin version 1.3.0, temporarily '
'disable the Gatling Plugin, implement additional '
'monitoring, review network segmentation and access '
'controls',
'response': {'containment_measures': 'Downgrade to Gatling Plugin version '
'1.3.0, temporarily disable the Gatling '
'Plugin',
'enhanced_monitoring': 'Implement additional monitoring for '
'unusual Jenkins activity',
'network_segmentation': 'Review network segmentation and access '
'controls'},
'title': 'Critical XSS Vulnerability in Jenkins Gatling Plugin',
'type': 'Cross-Site Scripting (XSS)',
'vulnerability_exploited': 'CVE-2025-5806'}