CVE-2025-53652
Description
Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Git Parameter Plugin fails to validate user-submitted parameter values against allowed choices, enabling attackers with Item/Build permission to inject arbitrary Git parameters.
Vulnerability
Overview
The Jenkins Git Parameter Plugin, versions 439.vb_0e46ca_14534 and earlier, implements a choice build parameter that lists Git branches, tags, or revisions from the configured SCM. However, the plugin does not validate that the value submitted to the build matches one of the offered choices [1][4]. This missing input validation allows an attacker to bypass the intended selection mechanism.
Exploitation
Prerequisites
An attacker must have Item/Build permission on a Jenkins job that uses the Git Parameter Plugin. No additional authentication or network position is required beyond standard Jenkins access. The attacker can submit an arbitrary string as the Git parameter value, which the plugin accepts without verifying it against the predefined list [1][2].
Impact
By injecting an arbitrary Git parameter value, an attacker can influence the build process in ways not intended by the job configuration. Depending on how the parameter is used in the build (e.g., to checkout a repository, run scripts, or pass to other tools), this could lead to unauthorized code execution, information disclosure, or other security breaches. The Jenkins Security Advisory rates this vulnerability as Medium severity [1].
Mitigation
The vulnerability is fixed in Git Parameter Plugin version 444.vca_b_84d3703c2 [1][2]. Users should upgrade to this version or later. No workaround is documented; upgrading is the recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.tools:git-parameterMaven | < 444.vca | 444.vca |
Affected products
2- Range: <=439.vb_0e46ca_14534
- Jenkins Project/Jenkins Git Parameter Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qcj2-99cg-mppfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53652ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025