CVE-2025-53664

Vulnerability

Description

The Jenkins Apica Loadtest Plugin, versions 1.10 and earlier, stores Apica Loadtest (LTP) authentication tokens in plaintext within job configuration files (job config.xml) on the Jenkins controller. The official advisory from the Jenkins Security team [1] states that the tokens are stored “unencrypted,” which is also confirmed by the NVD entry [3]. This exposes the tokens to anyone who can read these configuration files.

Exploitation

The attack surface includes any user with Item/Extended Read permission, who can view job configurations through the Jenkins web interface, or any user with access to the Jenkins controller’s file system. No special authentication is required beyond standard Jenkins access permissions—the token is simply embedded in the XML without encryption [1][3]. The plugin’s GitHub repository describes how the token is entered as a build parameter and used to communicate with the Apica API [4], but the storage mechanism does not secure it.

Impact

An attacker who obtains the authentication token can impersonate the Jenkins instance to the Apica Loadtest service. This could allow unauthorized actions within the LTP portal, such as running load tests, viewing test results, or modifying configurations, depending on the permissions associated with the leaked token. The stored token is also a persistent credential that may remain valid even after the Jenkins job is no longer active.

Mitigation

As of the 2025-07-09 security advisory [1], the Jenkins project reports that no fix is available for CVE-2025-53664. Users are advised to restrict access to job configurations (Item/Extended Read) and to the Jenkins controller file system. Organizations should also consider rotating any LTP tokens that may have been exposed and monitor Apica Loadtest accounts for unauthorized activity. The advisory lists the Apica Loadtest Plugin among those with unresolved security issues [2].