CVE-2025-27625: 
Java vulnerability analysis and mitigation

CVE-2025-27625 is an open redirect vulnerability discovered in Jenkins, affecting versions 2.499 and earlier, and LTS 2.492.1 and earlier. The vulnerability was disclosed on March 5, 2025, and involves redirects starting with backslash (\) characters being incorrectly considered safe by the Jenkins server (Jenkins Advisory, NVD).

The vulnerability stems from Jenkins' URL redirection mechanism, which is designed to limit redirections to safe URLs that are neither absolute nor scheme-relative. However, the affected versions incorrectly classify URLs beginning with backslash characters as safe. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, and is classified as CWE-601 (URL Redirection to Untrusted Site) (CISA-ADP, Rapid7).

The vulnerability enables attackers to perform phishing attacks by directing users to a Jenkins URL that forwards them to a malicious site. This occurs because web browsers interpret backslash characters as part of scheme-relative redirects, potentially exposing users to untrusted external websites (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.500 and LTS 2.492.2. In these versions, redirects to URLs starting with backslash characters are considered unsafe and are rejected by the server. Users are strongly advised to upgrade to these patched versions (Jenkins Advisory).

The vulnerability was reported by a security researcher identified as XBOW, and the Jenkins project has acknowledged their contribution in discovering and reporting this security issue (Jenkins Advisory).