CVE-2025-53666
Description
Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Dead Man's Snitch Plugin 0.1 stores tokens unencrypted in job config.xml, exposing them to users with Item/Extended Read or file system access.
Vulnerability
Description
The Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller [1][3]. This means the tokens are persisted in plaintext without any masking or encryption, making them accessible to anyone who can read those configuration files.
Exploitation
Prerequisites
An attacker needs either the Item/Extended Read permission on a Jenkins job or direct access to the Jenkins controller's file system to view the stored tokens [1][3]. No additional authentication is required beyond those permissions. The attack surface is limited to users or processes that already have some level of access to the Jenkins instance.
Impact
If an attacker obtains the Dead Man's Snitch token, they can potentially interact with the Dead Man's Snitch service, which is used for monitoring and alerting. The exact impact depends on the token's privileges, but it could allow an attacker to disable or manipulate monitoring alerts, or gain further insight into the monitored infrastructure.
Mitigation
Status
As of the Jenkins Security Advisory 2025-07-09, no fix has been released for this plugin [1][2]. The plugin is listed among unresolved security issues, meaning users must either remove the plugin or restrict access to job configurations and the controller file system as a workaround [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:deadmanssnitchMaven | <= 0.1 | — |
Affected products
2- Range: <=0.1
- Jenkins Project/Jenkins Dead Man's Snitch Pluginv5Range: 0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5pcv-7v3q-hw8jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53666ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025