4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53665

GHSA ID

GHSA-28j3-hphh-cjr8

EPSS Score

0.07836%

CWE

CWE-256

Published

7/9/2025

Updated

7/9/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53665

CVE-2025-53665: Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens

Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53665

GHSA ID

GHSA-28j3-hphh-cjr8

EPSS Score

0.07836%

CWE

CWE-256

Published

7/9/2025

Updated

7/9/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.apica:ApicaLoadtest	maven	<= 1.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the plaintext storage of the Apica Loadtest authentication token. My analysis of the source code confirms this. The LoadtestBuilderModel class, which serves as the data model for the plugin's configuration, defines a field authToken of type String. The constructor of this class, LoadtestBuilderModel(...), is annotated with @DataBoundConstructor. This annotation tells Jenkins to use this constructor to instantiate the object from the configuration form and then serialize it to XML for storage. Since the authToken is a simple String, it is written to the config.xml file in plaintext.

The getAuthToken() method is used to retrieve this token for use in API calls and for displaying it in the configuration UI. Because the UI does not treat it as a password field, the token is visible to anyone who can view the job configuration page.

The LoadtestBuilder class's constructor is the entry point for this entire process, as it is the main build step class that holds the configuration model.

Since there is no patch for this vulnerability, the evidence is taken directly from the source code of the plugin. The combination of @DataBoundConstructor and storing a sensitive value in a String field is the direct cause of this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *pi** Lo**t*st Plu*in *.** *n* **rli*r stor*s *pi** Lo**t*st LTP *ut**nti**tion tok*ns un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* tok*ns **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*

Reasoning

T** vuln*r**ility li*s in t** pl*int*xt stor*** o* t** *pi** Lo**t*st *ut**nti**tion tok*n. My *n*lysis o* t** sour** *o** *on*irms t*is. T** `Lo**t*st*uil**rMo**l` *l*ss, w*i** s*rv*s *s t** **t* mo**l *or t** plu*in's *on*i*ur*tion, ***in*s * *i*l*

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-53665: Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI