Product Introduction⚓︎
Important Notice | JumpServer Vulnerability Notification and Fix 2025-10-30 (CVE-2025-62712|CVE-2025-62795)
In October 2025, users reported security vulnerabilities in JumpServer open source bastion machine and reported them to the JumpServer open source project team.
Vulnerability Information:
1. JumpServer token list for connected sessions has privilege escalation risk, CVE number CVE-2025-62712
2. JumpServer LDAP configuration has unauthorized testing risk, CVE number CVE-2025-62795
Affected versions:
JumpServer V3: <=v3.10.20 LTS
JumpServer V4: <=v4.10.11 LTS
Secure versions:
JumpServer V3: >=v3.10.21 LTS
JumpServer V4: >=v4.10.12 LTS
Fix solutions:
Permanent fix: Upgrade JumpServer software to the above secure versions.
Temporary fix: Restrict access to relevant API endpoints with minimal impact to main JumpServer functions. Nginx configuration example:
# CVE-2025-62712
location /api/v1/authentication/super-connection-token/ {
return 200 '';
}
location /api/v1/resources/super-connection-tokens/ {
return 200 '';
}
# CVE-2025-62795, this will disable test and import functions in ldap config
location /ws/ldap {
return 200 '';
}
Thanks to SolidLab for discovering and timely reporting the above vulnerabilities to the JumpServer open source community.
1 What is JumpServer?⚓︎
JumpServer is a popular open source bastion machine that is a professional operation and maintenance security audit system conforming to the 4A specification. JumpServer helps enterprises manage and log in to all types of assets in a more secure way, implementing pre-authorization, in-process monitoring, and post-audit to meet compliance requirements.
JumpServer bastion machine supports the following asset types:
- SSH (Linux / Unix / Network devices, etc.)
- Windows (Web access / native RDP access)
- Database (MySQL / MariaDB / Oracle / SQL Server / PostgreSQL / ClickHouse, etc.)
- NoSQL (Redis / MongoDB, etc.)
- GPT (ChatGPT, etc.)
- Cloud services (Kubernetes / VMware vSphere, etc.)
- Web sites (Web management backends of various systems)
- Applications (various applications accessed through Remote App)
Documentation Guide
Official Website Installation and Deployment Online Demo Enterprise Edition Trial Community Forum Video Teaching Technical Whitepaper
2 Product Features⚓︎
JumpServer product features include:
- Open source: Zero threshold, quickly obtain and install online
- Distributed: Easily support large-scale concurrent access
- Plugin-free: Browser only, ultimate Web Terminal experience
- Multi-cloud support: One system managing assets across different clouds
- Cloud storage: Audit recordings stored in cloud, never lost
- Multi-tenant: One system for multiple subsidiaries and departments
- Multi-application support: Database, Windows remote applications, Kubernetes
3 Page Display⚓︎
4 Application Store⚓︎
JumpServer's remote application feature supports Chrome and DBeaver applications by default in community edition, and supports richer remote applications in enterprise edition. Click Application Store to get more remote applications.
5 Security Statement⚓︎
- JumpServer is a security product. Please follow basic security recommendations for installation and deployment.
- If you discover security issues, please contact us directly: support@fit2cloud.com