Vulnerability in Jenkins Ssh-slave
CVE-2025-32755
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to…
EPSS: 0.004 (32.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Affected products
- Jenkins Ssh-slave
- Jenkins Project Jenkins/ssh-slave Docker Images — versions alpine
Weakness classification (CWE)
Public proof-of-concept exploits
References
- jenkinsci-cert@googlegroups.com (vendor-advisory, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-32755?
- CVE-2025-32755 is a critical-severity vulnerability in Jenkins Ssh-slave, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 9.1/10. Published 2025-04-10.
- How severe is CVE-2025-32755?
- Critical severity. CVSS v3 base score is 9.1 out of 10.
- Is CVE-2025-32755 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.