GHSA-4625-q52w-39cx
MEDIUMMissing permission check for paths with specific prefix in Jenkins
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.jenkins-ci.main:jenkins-core☕org.jenkins-ci.main:jenkins-coreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.
This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:
accessDeniederrorinstance-identityloginlogoutoopssecurityRealmsignuptcpSlaveAgentListener
For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.
The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.
The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.
In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.jenkins-ci.main:jenkins-core | all versions | 2.263.2 |
| ☕Maven | org.jenkins-ci.main:jenkins-core | ≥ 2.264&&< 2.275 | 2.275 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.jenkins-ci.main:jenkins-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.jenkins-ci.main:jenkins-core to 2.263.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4625-q52w-39cx is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4625-q52w-39cx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4625-q52w-39cx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4625-q52w-39cx in your dependencies?
O3 detects GHSA-4625-q52w-39cx across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.