CVE-2025-53103
📋 TL;DR
JUnit versions 5.12.0 to 5.13.1 can leak Git credentials through Open Test Reporting XML files. If these test reports are published or stored publicly, attackers could steal tokens and perform elevated actions by impersonating users or applications. This affects Java/JVM projects using JUnit for testing with Open Test Reporting enabled.
💻 Affected Systems
- JUnit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal Git access tokens with elevated privileges, enabling unauthorized code commits, repository manipulation, or supply chain attacks.
Likely Case
Exposed credentials in test reports allow attackers to access private repositories or perform limited Git operations.
If Mitigated
Proper access controls and secure storage prevent credential exposure even if vulnerability exists.
🎯 Exploit Status
Exploitation requires access to exposed test reports; no authentication bypass needed once reports are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.13.2
Vendor Advisory: https://github.com/junit-team/junit-framework/security/advisories/GHSA-m43g-m425-p68x
Restart Required: No
Instructions:
1. Update JUnit dependency to version 5.13.2 or later. 2. Update build configuration (Maven pom.xml, Gradle build.gradle, etc.). 3. Rebuild and redeploy applications. 4. Verify no regressions in test suites.
🔧 Temporary Workarounds
Disable Open Test Reporting
allDisable the OpenTestReportGeneratingListener to prevent credential leakage.
Set junit.jupiter.extensions.autodetection.enabled=false in junit-platform.properties
Remove @ExtendWith(OpenTestReportGeneratingListener.class) annotations
Secure Test Report Storage
allEnsure test reports are stored in secure, non-public locations with proper access controls.
Configure CI/CD pipelines to store reports in private artifacts
Set appropriate file permissions on report directories
🧯 If You Can't Patch
- Disable Open Test Reporting feature entirely
- Implement strict access controls on test report storage locations
🔍 How to Verify
Check if Vulnerable:
Check JUnit version in build configuration files (pom.xml, build.gradle) or run tests with version output enabled.Check Version:
mvn dependency:tree | grep junit-jupiter (Maven) or gradle dependencies | grep junit-jupiter (Gradle)Verify Fix Applied:
Confirm JUnit version is 5.13.2 or later in dependency management files and verify Open Test Reporting still functions without credential exposure.📡 Detection & Monitoring
Log Indicators:
- Unauthorized Git operations from unexpected locations
- Failed authentication attempts using exposed tokens
Network Indicators:
- Unusual Git protocol traffic patterns
- Access to test report storage from unauthorized IPs
SIEM Query:
source="git.log" AND (action="push" OR action="commit") AND user NOT IN allowed_users