-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-53742, stems from the insecure storage of the Applitools API key. The root cause is that the plugin was using the standard java.lang.String data type to handle and persist the API key. In the Jenkins ecosystem, any sensitive data such as credentials, tokens, or API keys must be handled using the hudson.util.Secret class. This class ensures that the data is encrypted when it's persisted to disk (e.g., in config.xml files) and is masked in the user interface.
The analysis of the patch commit e41e2351248225588896cbf2e62fb8bcc2b5be0e clearly shows the remediation strategy. The developers replaced every instance where the applitoolsApiKey was a String with hudson.util.Secret. This change was applied across all configuration entry points, including the Freestyle job BuildWrapper, the Pipeline Step, project-level properties, and the Job DSL extension methods. Furthermore, the corresponding UI configuration files (.jelly files) were updated from using <f:textbox> to <f:password>, which is the correct UI component for handling Secret fields, ensuring the value is masked from view.
When the vulnerability is present, any user with Item/Extended Read permission, or with access to the Jenkins controller's file system, can view the config.xml for a job using this plugin and retrieve the Applitools API key in cleartext. The identified vulnerable functions are the constructors and methods responsible for receiving the API key from the user configuration and storing it in the object's state, which is then persisted by Jenkins.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:pplitools-eyes | maven | <= 1.16.5 |
Ongoing coverage of React2Shell