Vulnerability in Jenkins Ssh-agent
CVE-2025-32754
In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able…
EPSS: 0.004 (32.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Affected products
Weakness classification (CWE)
Public proof-of-concept exploits
References
- jenkinsci-cert@googlegroups.com (vendor-advisory, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-32754?
- CVE-2025-32754 is a critical-severity vulnerability in Jenkins Ssh-agent, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 9.1/10. Published 2025-04-10.
- How severe is CVE-2025-32754?
- Critical severity. CVSS v3 base score is 9.1 out of 10.
- Is CVE-2025-32754 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.