CVE-2025-5806: 
Java vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-5806) was identified in the Jenkins Gatling Plugin version 136.vb9009b3d33a_e, disclosed on June 6, 2025. The vulnerability affects the plugin's handling of Gatling reports, where it bypasses the Content-Security-Policy (CSP) protection that was originally introduced in Jenkins versions 1.641 and 1.625.3 (Jenkins Advisory, NVD).

The vulnerability is classified as a cross-site scripting (XSS) issue with a CVSS v3.1 base score of 8.0 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The flaw specifically relates to how the Gatling Plugin serves reports, circumventing the established Content-Security-Policy protections. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Wiz, NVD).

The vulnerability enables potential attackers to inject malicious JavaScript into Jenkins dashboards, which could lead to session hijacking, credential theft, redirection to malicious websites, and persistent control over the Jenkins interface. This is particularly concerning in shared or enterprise Jenkins environments where multiple users interact with reporting features (Security Online).

As of the advisory's publication, no official fix is available for the vulnerability. The Jenkins security team recommends affected users downgrade to Gatling Plugin version 1.3.0, which is not affected by this vulnerability. It's important to note that while the advisory mentions earlier versions being affected, this is a technical limitation of the advisory pages on jenkins.io, and earlier versions are actually not impacted (Jenkins Advisory).