Jenkins Patch Tuesday: 20 Plugins Fixed for Credential Exposure, XSS, and Code Injection Flaws
Jenkins released a security advisory covering 20 plugins, addressing vulnerabilities ranging from credential exposure and stored XSS to arbitrary value injection, with patches now available.
Jenkins published a security advisory on July 9, 2025, addressing vulnerabilities spanning 20 different plugins in the popular CI/CD platform. The advisory includes fixes for issues that could allow attackers to expose credentials, inject arbitrary values into build parameters, and exploit stored cross-site scripting (XSS) flaws. Users are urged to update affected plugins to their latest versions immediately.
Among the most impactful disclosures is a stored XSS vulnerability in the Applitools Eyes Plugin (CVE-2025-53658), rated High severity. The flaw, present in version 1.16.5 and earlier, allows attackers with Item/Configure permission to inject malicious scripts that execute when the build page is viewed. The same plugin also stores Applitools API keys in plain text (CVE-2025-53742 and CVE-2025-53743), exposing them to users with Item/Extended Read access.
The advisory also details improper credential masking in the Credentials Binding Plugin (CVE-2025-53650), where sensitive credentials are written to the build log in exception messages. The Git Parameter Plugin (CVE-2025-53652) fails to validate submitted parameter values, letting attackers with Item/Build permission inject arbitrary values that are not among the offered choices. Multiple plugins store secrets in plain text, including the Aqua Security Scanner Plugin (CVE-2025-53653), Statistics Gatherer Plugin (CVE-2025-53654 and CVE-2025-53655), ReadyAPI Functional Testing Plugin (CVE-2025-53656 and CVE-2025-53657), and the QMetry Test Management Plugin (CVE-2025-53659 and CVE-2025-53660).
Additional fixes address file path information disclosure in the HTML Publisher Plugin (CVE-2025-53651), which logs absolute file paths that reveal the Jenkins controller file system layout. Several other plugins — including Apica Loadtest, Dead Man's Snitch, IBM Cloud DevOps, IFTTT Build Notifier, Kryptowire, Nouvola DiveCloud, Sensedia Api Platform tools, Testsigma Test Plan run, User1st uTester, VAddy, Warrior Framework, and Xooa — received security patches for issues that were not individually detailed in the advisory summary.
All affected plugin versions and patched versions are listed in the official advisory. Jenkins administrators should review their plugin installations and apply the updates as soon as possible to mitigate the risk of credential theft, information disclosure, and code injection. The vulnerabilities are not known to be exploited in the wild at this time, but the exposure of unencrypted credentials in configuration files and build logs increases the risk of internal compromise.
This advisory is part of Jenkins' regular monthly security release cycle, which has been a target for attackers in the past. In 2024, Jenkins issued emergency patches for a critical RCE vulnerability in the CLI tool, and earlier in 2025, the platform addressed a remote code execution flaw in the Checkstyle Plugin. The cumulative impact of credential exposure across multiple plugins underscores the need for robust secrets management and the principle of least privilege in CI/CD environments.