CVE-2025-27624: Jenkins cross-site request forgery (CSRF) vulnerability
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets.
Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins.
Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-27624 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →