CVE-2025-47884 — Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID To

Description

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.

How to fix CVE-2025-47884

To remediate CVE-2025-47884, upgrade the affected package to a fixed version below.

—upgrade to 111.v29fd614b_3617 or later

Is CVE-2025-47884 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 111.v29fd614b_3617

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47884
PATCHgithub.com/jenkinsci/oidc-provider-plugin
WEBgithub.com/jenkinsci/oidc-provider-plugin/commit/29fd614b36171048ddc78a995ce44bd12bd7997d
WEBgithub.com/jenkinsci/oidc-provider-plugin/releases/tag/111.v29fd614b_3617