4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53743

CVE-2025-53743: Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form

Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-53743

CVE-2025-53743:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:applitools-eyes	maven	<= 1.16.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the handling of the Applitools API key within the Jenkins Applitools Eyes Plugin. The plugin was storing the API key as a plain text string and using a standard text input field in the Jenkins UI for its configuration. This exposed the API key to anyone who could view the job configuration page.

The patch addresses this vulnerability by changing the data type of the API key from java.lang.String to hudson.util.Secret. The Secret class is a Jenkins-specific class designed to handle sensitive data. It encrypts the data when stored and can be decrypted only when needed. Additionally, the UI component for entering the API key was changed from <f:textbox> to <f:password>, which masks the input in the browser.

The identified vulnerable functions are the constructors of the main plugin classes (ApplitoolsBuildWrapper, ApplitoolsStep, ApplitoolsProjectConfigProperty) and the applitools methods in the ApplitoolsJobDsl class. These functions were responsible for accepting the API key from the user configuration and were all modified in the patch to handle the API key as a Secret.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-53743: Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form

CVE-2025-53743:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-53743: Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI