Jenkins Warns of SSH Security Flaw in Docker Images

April 11, 2025

The Jenkins project issued a new security advisory for vulnerabilities affecting its Docker’s image deliverables, including jenkins/ssh-agent and the deprecated jenkins/ssh-slave.

Vulnerability Details

The advisory outlines a medium-severity vulnerability (CVSS) related to host key reuse in SSH build agent Docker images, which may allow attackers to impersonate Jenkins SSH build agents under some conditions. This issue has been tracked as:

SECURITY-3565/CVE-2025-32754(jenkins/ssh-agent)
CVE-2025-32755(jenkins/ssh-slave)

This issue stems from SSH host keys being generated while Docker image creates Debian-based images. This means all containers built from the same image has identical SSH host keys, enabling man-in-the-middle (MitM) attacks. Attackers could exploit this to intercept or spoof connections between controller and agents.

Impact

CVE-2025-32754 and CVE-2025-32755 affects the Docker images that are based on Debian. This include

CVE-2025-32754 (`jenkins/ssh-agent`)

All versions not explicitly specifying an OS, including all –jdk*nand -jdk*-preview variants created before April 10, 2025.
All variants containing debian, stretch, bullseye, or bookworm created before April 10, 2025.

CVE-2025-32755 (`jenkins/ssh-slave`)

Tags with latest, jdk11, latest-jdk11, and revert-22-jdk11-JENKINS-52279.

Unaffected image variants include those based on Alpine, Nanoserver, or Windows for jenkins/ssh-agent, and the alpine tag for jenkins/ssh-slave.

Mitigation

The issue has been resolved in jenkins/ssh-agent version 6.11.2, which ensures SSH host keys are no longer created at build time. Instead, they are generated anew when the container is started for the first time.

It’s important to note that CVE-2025-32755(jenkins/ssh-slave)is deprecated and will not receive a fix. Jenkins strongly encourage users to transition to the jenkins/ssh-agent image for future deployments.

Users relying on affected Docker images should immediately:

Update to jenkins/ssh-agent version 6.11.2 or later.
Discontinue use of jenkins/ssh-slave and migrate to the supported jenkins/ssh-agent alternative.

Follow us on X and Linkedin for the latest cybersecurity news

Did you like the post? Share it in your media

Axios Supply Chain Attack Exposes Developers to Cross-Platform RAT via Compromised npm Account

March 31, 2026 · Chetna Sehgal

A serious cybersecurity issue has recently come up involving Axios, which is a very popular JavaS...

Hacker Charged in $53 Million Uranium Finance Crypto Heist Linked to Smart Contract Exploit

March 31, 2026 · Chetna Sehgal

A major case of cryptocurrency theft has recently come into the spotlight, where a hacker has bee...

EU Cloud Systems Targeted in Cyberattack, Data Breach Confirmed by European Commission

March 30, 2026 · Chetna Sehgal

In March 2026, the European Commission confirmed that its official web platform, Europa.eu, was t...

Stealth Cyber Campaign Hits Southeast Asian Government, Linked to China-Based Threat Groups

March 30, 2026 · Chetna Sehgal

In 2025, a serious cyberattack campaign was discovered targeting a government organization in Sou...

Bearlyfy Targets 70+ Russian Firms Using Custom GenieLocker Ransomware

March 27, 2026 · Chetna Sehgal

A cybercriminal group known as Bearlyfy has recently carried out multiple ransomware attacks. Mor...

Ajax Cyber Breach Exposes Fan Data and Enables Ticket System Manipulation

March 27, 2026 · Chetna Sehgal

A serious cybersecurity issue has recently come to light involving AFC Ajax. The club confirmed t...

Jenkins Warns of SSH Security Flaw in Docker Images

Vulnerability Details

Impact

CVE-2025-32754 (`jenkins/ssh-agent`)

CVE-2025-32755 (`jenkins/ssh-slave`)

Mitigation

Did you like the post? Share it in your media

Top Articles

Topics from this Article

Stay Ahead in Cybersecurity and Tech!

Latest Articles

Axios Supply Chain Attack Exposes Developers to Cross-Platform RAT via Compromised npm Account

March 31, 2026 · Chetna Sehgal

Hacker Charged in $53 Million Uranium Finance Crypto Heist Linked to Smart Contract Exploit

March 31, 2026 · Chetna Sehgal

EU Cloud Systems Targeted in Cyberattack, Data Breach Confirmed by European Commission

March 30, 2026 · Chetna Sehgal

Stealth Cyber Campaign Hits Southeast Asian Government, Linked to China-Based Threat Groups

March 30, 2026 · Chetna Sehgal

Bearlyfy Targets 70+ Russian Firms Using Custom GenieLocker Ransomware

March 27, 2026 · Chetna Sehgal

Ajax Cyber Breach Exposes Fan Data and Enables Ticket System Manipulation

March 27, 2026 · Chetna Sehgal

Jenkins Warns of SSH Security Flaw in Docker Images

Vulnerability Details

Impact

CVE-2025-32754 (jenkins/ssh-agent)

CVE-2025-32755 (jenkins/ssh-slave)

Mitigation

Did you like the post? Share it in your media

Top Articles

Topics from this Article

Stay Ahead in Cybersecurity and Tech!

Latest Articles

Axios Supply Chain Attack Exposes Developers to Cross-Platform RAT via Compromised npm Account

March 31, 2026 · Chetna Sehgal

Hacker Charged in $53 Million Uranium Finance Crypto Heist Linked to Smart Contract Exploit

March 31, 2026 · Chetna Sehgal

EU Cloud Systems Targeted in Cyberattack, Data Breach Confirmed by European Commission

March 30, 2026 · Chetna Sehgal

Stealth Cyber Campaign Hits Southeast Asian Government, Linked to China-Based Threat Groups

March 30, 2026 · Chetna Sehgal

Bearlyfy Targets 70+ Russian Firms Using Custom GenieLocker Ransomware

March 27, 2026 · Chetna Sehgal

Ajax Cyber Breach Exposes Fan Data and Enables Ticket System Manipulation

March 27, 2026 · Chetna Sehgal

Join 1M+ professionals getting exclusive insights about CyberSecurity

CVE-2025-32754 (`jenkins/ssh-agent`)

CVE-2025-32755 (`jenkins/ssh-slave`)