Jenkins Gatling Plugin Flaw Allows CSP Bypass, Exposing Systems to Attack

On June 6, 2025, the Jenkins Project issued a security advisory (SECURITY-3588 / CVE-2025-5806) affecting the Gatling Plugin, a widely used tool for displaying performance test reports within the Jenkins automation server.

The vulnerability carries a high severity rating, with CVSS base scores ranging from 8.0 to 9.0 across different versions, indicating a significant risk to affected systems.

Vulnerability Overview and Technical Details

The core issue lies in Gatling Plugin version 136.vb_9009b_3d33a_e, which serves Gatling reports in a way that bypasses the Content-Security-Policy (CSP) protections introduced in Jenkins versions 1.641 and 1.625.3.

This bypass enables a cross-site scripting (XSS) vulnerability, classified as CWE-79—Improper Neutralization of Input During Web Page Generation.

Attackers with the ability to modify report content—even those with low-privileged access—can inject malicious scripts that execute in the context of other users’ browsers.

Such scripts could ...