Description

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects.

Remediation

References

CVE-2025-27625

Related Vulnerabilities

phpBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2002-2346)

PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-6600)

WordPress Plugin YOP Poll Cross-Site Scripting (6.2.7)

WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.28)

Dolibarr Improper Privilege Management Vulnerability (CVE-2022-43138)

Severity

Medium

Classification

CVE-2025-27625 CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities