CVE-2025-53668
Description
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files, exposing them to users with Extended Read permission or file system access.
Vulnerability
Overview
Jenkins VAddy Plugin versions 1.2.8 and earlier store Vaddy API authentication keys unencrypted in job config.xml files on the Jenkins controller [1][3]. This plaintext storage violates the principle of securing credentials at rest, making the keys accessible to any user or process that can read those configuration files [3].
Exploitation
Prerequisites
An attacker must have either the Item/Extended Read permission on a Jenkins job or direct access to the Jenkins controller's file system to retrieve the stored keys [1][2]. No special authentication against the VAddy service is required at the point of access; the exposure is entirely within Jenkins's storage mechanism [3].
Impact
With the exposed VAddy API Auth Key, an attacker could perform actions authorized by that key against the VAddy web security testing service, potentially compromising test configurations, results, or related infrastructure [1]. The vulnerability is rated with a CVSS v4.0 score as of the advisory date, though NVD has not yet provided its own assessment [3].
Mitigation
Status
As of the 2025-07-09 security advisory, Jenkins has acknowledged this vulnerability but notes that the VAddy Plugin remains unresolved, meaning no patch is yet available [1][2]. Users should restrict Item/Extended Read permissions and limit file system access to the Jenkins controller as interim workarounds [1][2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:vaddy-pluginMaven | <= 1.2.8 | — |
Affected products
2- Range: <=1.2.8
- Jenkins Project/Jenkins VAddy Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mr49-vmp6-2pwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53668ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025