CVE-2025-47885: 
Java vulnerability analysis and mitigation

CVE-2025-47885 is a stored cross-site scripting (XSS) vulnerability affecting the Jenkins Health Advisor by CloudBees Plugin versions 374.v194b_d4f0c8c8 and earlier. The vulnerability was discovered by Daniel Beck from CloudBees, Inc. and was publicly disclosed on May 14, 2025. The issue affects the CloudBees Jenkins Advisor plugin, which fails to properly escape responses from the Jenkins Health Advisor server (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly escape responses received from the Jenkins Health Advisor server. This security flaw has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this stored XSS vulnerability allows attackers who can control Jenkins Health Advisor server responses to inject malicious JavaScript code. The injected code is then persistently stored and executed in the context of future users accessing the Jenkins instance, potentially leading to unauthorized access, data theft, or further system compromise (Security Online).

The vulnerability has been fixed in Health Advisor by CloudBees Plugin version 374.376.v3a41aa_142efe. Users are strongly advised to update to this version, which properly escapes responses from the Jenkins Health Advisor server (Jenkins Advisory).