CVE-2025-31722 – This vulnerability allows attackers with Item/C... (How to Fix)

Q: What is the severity of CVE-2025-31722?

CVE-2025-31722 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers with Item/Configure permission in Jenkins to bypass sandbox protection in the Templating Engine Plugin, enabling arbitrary code execution on the Jenkins controller. It affects Jenkins instances using the Templating Engine Plugin version 2.5.3 and earlier. Attackers can execute code with the same privileges as the Jenkins controller process.

📋 TL;DR

This vulnerability allows attackers with Item/Configure permission in Jenkins to bypass sandbox protection in the Templating Engine Plugin, enabling arbitrary code execution on the Jenkins controller. It affects Jenkins instances using the Templating Engine Plugin version 2.5.3 and earlier. Attackers can execute code with the same privileges as the Jenkins controller process.

💻 Affected Systems

Products:

Jenkins Templating Engine Plugin

Versions: 2.5.3 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Item/Configure permission; Jenkins instances with the plugin installed are vulnerable by default.

📦 What is this software?

Templating Engine by Jenkins

View all CVEs affecting Templating Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Jenkins controller with complete system access, allowing installation of persistent backdoors, data exfiltration, and lateral movement to connected systems.

🟠

Likely Case

Attackers with Item/Configure permission execute arbitrary code to steal credentials, modify build processes, or disrupt CI/CD pipelines.

🟢

If Mitigated

Limited impact if proper access controls restrict Item/Configure permissions to trusted administrators only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Item/Configure permission; the vulnerability bypasses sandbox protection for folder-defined libraries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.4 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3505

Restart Required: Yes

Instructions:

1. Update Jenkins Templating Engine Plugin to version 2.5.4 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.

🔧 Temporary Workarounds

Restrict Item/Configure Permissions

all

Limit Item/Configure permissions to only trusted administrators to reduce attack surface.

Disable Templating Engine Plugin

all

Temporarily disable the plugin if not required for operations.

🧯 If You Can't Patch

Review and restrict Item/Configure permissions to minimal necessary users.
Monitor Jenkins logs for suspicious library usage or code execution attempts.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Templating Engine Plugin version; versions 2.5.3 or earlier are vulnerable.

Check Version:

Navigate to Manage Jenkins > Plugin Manager > Installed plugins and check 'Templating Engine' version.

Verify Fix Applied:

Verify plugin version is 2.5.4 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Unusual library definitions in folders, unexpected code execution in Jenkins logs

Network Indicators:

Suspicious outbound connections from Jenkins controller

SIEM Query:

source="jenkins.log" AND ("Templating Engine" OR "library" OR "sandbox") AND ("error" OR "exception" OR "execution")

📊 Metadata

CVE ID: CVE-2025-31722

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.86% exploit probability (74.5th percentile)

Published: April 2, 2025

Last Updated: April 29, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3505 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31722, you might also want to check these: