Jenkins reports SSH Host Key Reuse in its Docker Images
Take action: If you are using Jenkins as Docker images, update your ssh-agent Jenkins image and replace the ssh-slave deprecated image. Isolation helps, but this is a long term problem, so it's smart to plan the update and go through with the update.
Learn More
A security vulnerability is reported in Jenkins Docker images creating potential security risks for organizations using these containers in their CI/CD environments. The issue stems from the improper generation and reuse of SSH host keys, which could enable network-based attacks against Jenkins build agents.
Vulnerability summary
- CVE-2025-32754 (CVSS score 9.1) (jenkins/ssh-agent) in jenkins/ssh-agent Docker images version 6.11.1the SSH host keys are generated during image creation rather than container instantiation, causing all containers of the same version to share identical SSH host keys
- CVE-2025-32755 (CVSS score 9.1) (jenkins/ssh-slave) in jenkins/ssh-slave Docker images based on Debian SSH host keys are generated during image creation rather than container startup, resulting in all containers of the same version sharing identical SSH host keys.
The vulnerability affects the jenkins/ssh-agent and deprecated jenkins/ssh-slave Docker images, which are commonly used to establish build agents via the SSH Build Agents plugin. T
Attackers who can position themselves in the network path between the SSH client (typically the Jenkins controller) and the SSH build agent could impersonate the build agent, potentially compromising sensitive build data or injecting malicious code.
Affected Versions
jenkins/ssh-agent Docker images up to and including 6.11.1 - All images not explicitly specifying an OS, including all -jdk* and -jdk*-preview suffixes (all before 2025-04-10) and all images containing debian, stretch, bullseye, or bookworm (all before 2025-04-10).
jenkins/ssh-slave Docker images (all versions) - tags affected include latest, jdk11, latest-jdk11, and revert-22-jdk11-JENKINS-52279
Unaffected Versions
- jenkins/ssh-agent: All images containing alpine, nanoserver, or windows
- jenkins/ssh-slave: The tag alpine
The Jenkins project has addressed this vulnerability in jenkins/ssh-agent version 6.11.2. This updated version deletes the automatically generated SSH host keys created during image creation, with new host keys being generated on the first container startup instead.
jenkins/ssh-slave is deprecated and will not receive updates. Users currently employing jenkins/ssh-slave images should migrate to jenkins/ssh-agent for continued security updates and maintenance.
Organizations using Jenkins in their CI/CD pipelines should prioritize updating to the patched version.
