CVE-2025-59474: 
Java vulnerability analysis and mitigation

CVE-2025-59474 is a medium-severity security vulnerability affecting Jenkins, discovered in September 2025. The vulnerability exists in Jenkins 2.527 and earlier versions, as well as LTS 2.516.2 and earlier versions. The flaw stems from a missing permission check in the sidepanel of a page that is intentionally accessible to users lacking Overall/Read permission (Jenkins Advisory, NVD).

The vulnerability occurs due to a failure to perform permission checks in the sidepanel executors widget. This security flaw allows attackers without Overall/Read permission to enumerate and list agent names through the sidepanel executors widget. The vulnerability has been assigned a medium severity CVSS score of 5.3, indicating moderate risk (Cybersecurity News).

The primary impact of this vulnerability is the unauthorized disclosure of agent names in Jenkins installations. Attackers without proper Overall/Read permissions can exploit this flaw to gather information about the Jenkins infrastructure by accessing the sidepanel executors widget, potentially using this information for further targeted attacks (Jenkins Advisory).

The vulnerability has been fixed in Jenkins weekly version 2.528 and LTS version 2.516.3. The fix removes the sidepanel from the affected view, effectively preventing unauthorized access to agent names. Administrators are strongly advised to upgrade to these versions or newer to mitigate the risk (Jenkins Advisory, Cybersecurity News).

The vulnerability was discovered and reported by Robert Houtenbrink, Faris Mohammed, and Harsh Yadav from the IBM Cloud Red Team. The Jenkins project has acknowledged their contribution in identifying and reporting this security issue (Jenkins Advisory).