Jenkins Security Advisory2025-04-10
This advisory announces vulnerabilities in
,
and
Jenkins

Host key reuse in SSH build agent Docker images
SECURITY-3565 / CVE-2025-32754 (jenkins/ssh-agent), CVE-2025-32755 (jenkins/ssh-slave)
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L]
Description:
The jenkins/ssh-agent and deprecated jenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin.
In jenkins/ssh-agent 6.11.1 and earlier and all versions of jenkins/ssh-slave, SSH host keys are generated on image creation for images based on Debian. This affects the following image variants:
- jenkins/ssh-agent:
- All not explicitly specifying an OS, including all
-jdk*and-jdk*-previewsuffixes (all before 2025-04-10) - All containing
debian,stretch,bullseye, orbookworm(all before 2025-04-10)
- All not explicitly specifying an OS, including all
- jenkins/ssh-slave: The tags
latest,jdk11,latest-jdk11,revert-22-jdk11-JENKINS-52279
The following image variants are unaffected:
- jenkins/ssh-agent: All containing
alpine,nanoserver, orwindows - jenkins/ssh-slave: The tag
alpine
As a result, all containers based on images of the same version use the same SSH host keys. This allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
The jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup.
jenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead.
Note
Warning
Severity
- SECURITY-3565: Medium
Fix
- jenkins/ssh-agent Docker images should be updated to version 6.11.2
Credit
- Abhishek Reddypalle for SECURITY-3565