Input Validation Flaw in Jenkins Git Parameter Plugin
CVE-2025-53652

8.2HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Git Parameter Plugin
Vendor
CVE Published:
9 July 2025

Badges

🔥 Trending now📈 Trended📈 Score: 2,340👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-53652?

CVE-2025-53652 is a vulnerability categorized as an input validation flaw found in the Jenkins Git Parameter Plugin, specifically versions up to and including 439.vb_0e46ca_14534. This plugin is integral to Jenkins, a popular open-source automation server used for building, testing, and deploying applications. The vulnerability arises from the plugin's failure to adequately validate the values submitted to Git parameters against predefined choices, presenting a significant risk for organizations using this software. If exploited, attackers with Item or Build permissions can inject arbitrary values into these parameters, which could potentially lead to the execution of malicious commands or scripts during the build process. This vulnerability compromises the integrity and security of automated workflows and poses a threat to the overall security and operational stability of affected systems.

Potential impact of CVE-2025-53652

  1. Arbitrary Code Execution: The most significant risk associated with this vulnerability is the potential for attackers to execute arbitrary code within the Jenkins environment. By injecting harmful parameters, attackers can manipulate build processes to run malicious code, leading to unauthorized access and control over the server.

  2. Compromise of Build Integrity: As Jenkins is often used in DevOps environments to automate software development processes, this vulnerability can undermine the integrity of the entire build pipeline. Injected parameters can lead to compromised application builds, where malicious code could be included in deployed software, affecting end-users and systems.

  3. Data Breaches and Information Disclosure: Exploitation of this vulnerability can lead to exposure of sensitive data stored in the Jenkins environment. Attackers may gain access to credentials, configuration files, and other sensitive information, which can be leveraged for further attacks or sold on the dark web, resulting in severe repercussions for an organization’s data security and compliance standing.

Affected Version(s)

Jenkins Git Parameter Plugin 0 <= 439.vb_0e46ca_14534

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-53652-Jenkins-Git-Parameter-Analysis
Created by pl4tyz

News Articles

favicon imageHack Read

15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652)

15k Jenkins servers on the internet currently have their security settings turned off, making them a target of RCE Vulnerability (CVE-2025-53652).

6 days ago

References

https://www.jenkins.io/security/advisory/2025-07-09/#SECU...
vendor-advisory

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by Hack Read

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53652 : Input Validation Flaw in Jenkins Git Parameter Plugin