A newly disclosed vulnerability affecting Jenkins Docker images has raised serious concerns about network security.
The vulnerability, stemming from the reuse of SSH host keys, could allow attackers to impersonate Jenkins build agents and hijack sensitive network traffic.
Vulnerability Details
The core issue arises from the way SSH host keys are automatically generated during image creation for Debian-based jenkins/ssh-agent and jenkins/ssh-slave Docker images.
.png
)
All containers built from the same image version share identical SSH host keys, allowing attackers capable of intercepting communication between a Jenkins controller and a build agent to impersonate the agent.
This jeopardizes network security by exposing sensitive traffic to potential malicious actors.
The Jenkins team disclosed two vulnerabilities in its security advisory, which are summarized below:
| CVE ID | Affected Components | Severity | Description |
| CVE-2025-32754 | jenkins/ssh-agent Docker images | Medium | Reuse of SSH host keys allows attackers to impersonate build agents and intercept network traffic. |
| CVE-2025-32755 | Deprecated jenkins/ssh-slave images | Medium | The same vulnerability as CVE-2025-32754, but specific to older, deprecated Docker images. |
Affected Versions
Affected image variants include:
- jenkins/ssh-agent:
- All images not specifying an OS (e.g., -jdk*, -jdk*-preview) prior to 2025-04-10.
- All images based on Debian, Stretch, Bullseye, or Bookworm prior to 2025-04-10.
- jenkins/ssh-slave (deprecated):
- Tags affected include latest, jdk11, latest-jdk11, and revert-22-jdk11-JENKINS-52279.
Unaffected images include all jenkins/ssh-agent and jenkins/ssh-slave variants based on Alpine, NanoServer, or Windows.
Remediation
The Jenkins project has released jenkins/ssh-agent version 6.11.2, which addresses the issue by deleting pre-generated SSH host keys during image creation.
New host keys will now be generated upon the first container startup. Users of the jenkins/ssh-agent Docker image are advised to update to this latest version immediately.
For the deprecated jenkins/ssh-slave images, no fixes will be provided. Users are urged to migrate to the updated jenkins/ssh-agent image for proper security support and maintenance.
The Jenkins team expressed its gratitude to security researcher Abhishek Reddypalle, who reported the vulnerabilities and contributed to improving the platform’s security.
Administrators are strongly advised to update their deployments to the latest secure versions.
Organizations relying on deprecated configurations should prioritize migration to better-maintained solutions.
This incident underscores the importance of keeping containerized environments up-to-date to prevent potential vulnerabilities from being exploited.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
