CVE-2025-31723: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was discovered in Jenkins Simple Queue Plugin versions 1.4.6 and earlier, identified as CVE-2025-31723. The vulnerability was disclosed on April 2, 2025, and affects the build queue management functionality of the Jenkins automation server (Jenkins Advisory, NVD).

The vulnerability stems from the Simple Queue Plugin not requiring POST requests for multiple HTTP endpoints. This security flaw has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (CISA-ADP).

When exploited, this vulnerability allows attackers to manipulate the Jenkins build queue by changing and resetting the build queue order through forged requests (Jenkins Advisory).

The vulnerability has been fixed in Simple Queue Plugin version 1.4.7, which now requires POST requests for the affected HTTP endpoints. Administrators can optionally enable equivalent HTTP endpoints without CSRF protection via the global configuration if needed. Organizations are strongly advised to upgrade to the fixed version (Jenkins Advisory).