A recent vulnerability in Jenkins Docker images has raised concerns over network security. This vulnerability, caused by the reuse of SSH host keys, enables attackers to impersonate Jenkins build agents. As a result, sensitive network traffic could be intercepted and compromised, exposing critical data to potential attackers. The vulnerability affects Docker images such as jenkins/ssh-agent and jenkins/ssh-slave, which use identical SSH host keys in containers built from the same image version.
The flaw in question allows an attacker to intercept communication between a Jenkins controller and a build agent. If attackers can gain access to these communications, they can impersonate the build agent and hijack sensitive data. The Jenkins team has identified two specific vulnerabilities: CVE-2025-32754, affecting jenkins/ssh-agent images, and CVE-2025-32755, which impacts older, deprecated jenkins/ssh-slave images.
Both vulnerabilities present medium-level risks.
To address the issue, Jenkins has released an updated version of the jenkins/ssh-agent Docker image (6.11.2). This new version generates unique SSH host keys when a container starts, eliminating the risk of reused keys. Users of the affected versions are strongly advised to update their systems immediately. For the deprecated jenkins/ssh-slave images, no fixes will be provided, and users are urged to transition to the newer jenkins/ssh-agent image.
This incident highlights the critical need for organizations to maintain up-to-date containerized environments to mitigate security risks.
Regular updates and proper migration to secure versions are essential to maintaining a safe and reliable network infrastructure. The Jenkins team also acknowledged the contribution of security researcher Abhishek Reddypalle in reporting these vulnerabilities.
