CVE-2025-53743
Description
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Applitools Eyes Plugin 1.16.5 and earlier fails to mask API keys in job configuration forms, risking credential exposure.
Vulnerability
Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier do not properly mask (replace with asterisks) the Applitools API key when it is displayed on the job configuration form [1][3]. This occurs because the plugin does not apply standard credential masking to the API key field, leaving the secret value visible in plain text [3].
Exploitation
An attacker with access to view job configuration pages—such as a user with Job/Configure permission or read access to the config.xml file—can directly observe the plaintext API key [1]. No special network position or additional authentication bypass is required beyond existing Jenkins authorization to see the configuration form [2].
Impact
Exposure of the Applitools API key allows an attacker to impersonate the legitimate Jenkins instance when communicating with the Applitools Eyes service [1][4]. This could enable unauthorized access to test results, modification of visual test baselines, or even data exfiltration depending on the Applitools account permissions [1].
Mitigation
Jenkins has released Applitools Eyes Plugin version 1.16.6 which masks the API key in configuration forms [2]. Users are strongly advised to upgrade to this version immediately [1][2]. After upgrading, any previously exposed keys should be rotated in the Applitools account [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:applitools-eyesMaven | <= 1.16.5 | — |
Affected products
2- Range: <=1.16.5
- Jenkins Project/Jenkins Applitools Eyes Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jmrv-rxgr-phvrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53743ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025