CVE-2025-27624: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was discovered in Jenkins versions 2.499 and earlier, as well as LTS 2.492.1 and earlier. The vulnerability was identified on March 5, 2025, and assigned CVE-2025-27624. This security issue affects the HTTP endpoint responsible for toggling collapsed/expanded status of sidepanel widgets in Jenkins (Jenkins Advisory, NVD).

The vulnerability stems from the application's failure to require POST requests for the HTTP endpoint that controls the collapsed/expanded status of sidepanel widgets, such as Build Queue and Build Executor Status widgets. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. Additionally, the API accepts any string as the identifier of the panel ID to be toggled, which can lead to attacker-controlled content being stored in the victim's user profile (Jenkins Advisory, Rapid7).

The vulnerability allows attackers to manipulate users into toggling their collapsed/expanded status of sidepanel widgets. Furthermore, due to the API's acceptance of arbitrary strings as panel IDs, attackers can store malicious content in the victim's user profile within Jenkins (Jenkins Advisory).

The vulnerability has been fixed in Jenkins weekly version 2.500 and LTS version 2.492.2. The fix implements mandatory POST request requirements for the affected HTTP endpoint. Users are strongly advised to upgrade to these versions or later to protect against this vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Antoine Ruffino from CloudBees, Inc., demonstrating ongoing security research within the Jenkins ecosystem. The Jenkins project promptly addressed the vulnerability through their security advisory process (Jenkins Advisory).