Jenkins Host key reuse in SSH build agent Docker images (CVE-2025-32754 and CVE-2025-32755)
CVE numbers CVE-2025-32754 and CVE-2025-32755.
In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all containers based on images of the same version use the same SSH host keys, allowing attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
jenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead.
This affects the following image variants:
- jenkins/ssh-agent:
- All not explicitly specifying an OS, including all
-jdk*and-jdk*-previewsuffixes (all before 2025-04-10) - All containing
debian,stretch,bullseye, orbookworm(all before 2025-04-10)
- All not explicitly specifying an OS, including all
- jenkins/ssh-slave: The tags
latest,jdk11,latest-jdk11,revert-22-jdk11-JENKINS-52279
The following image variants are unaffected:
- jenkins/ssh-agent: All containing
alpine,nanoserver, orwindows - jenkins/ssh-slave: The tag
alpine
Further details – https://www.jenkins.io/security/advisory/2025-04-10/#SECURITY-3565
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.