CVE-2025-67641: Jenkins Coverage Plugin has a stored cross-site scripting (XSS) vulnerability

December 10, 2025

Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.

References

github.com/advisories/GHSA-v3f3-rf6r-43x5
github.com/jenkinsci/coverage-plugin
github.com/jenkinsci/coverage-plugin/commit/1dfe888b02499d39185397862cf2790efc03e955
nvd.nist.gov/vuln/detail/CVE-2025-67641
www.jenkins.io/security/advisory/2025-12-10/

Code Behaviors & Features

Detect and mitigate CVE-2025-67641 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →