CVE-2025-53661
Description
Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Testsigma Test Plan run Plugin 1.6 and earlier exposes Testsigma API keys in plaintext on job configuration forms, risking credential exposure.
The Jenkins Testsigma Test Plan run Plugin versions 1.6 and earlier do not mask Testsigma API keys when displayed on the job configuration form. Instead of replacing the secret with asterisks, the plaintext key is shown, allowing anyone viewing the configuration page to see the credential [1][3].
An attacker with Job/Configure permission on a Jenkins job that uses this plugin can directly view the API key from the form. No additional authentication or network access is required beyond standard Jenkins permissions [1].
Successful exploitation enables an attacker to capture the Testsigma API key, potentially allowing unauthorized access to Testsigma services and actions on behalf of the legitimate user [1][3].
As of the July 2025 security advisory, no patch has been released for this vulnerability. The plugin is listed among those with unresolved security issues, meaning users should consider removing the plugin or manually redacting keys from configuration forms as a workaround [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:testsigmaMaven | <= 1.6 | — |
Affected products
2- Range: <=1.6
- Jenkins Project/Jenkins Testsigma Test Plan run Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8wp4-r84g-gcmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53661ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025