CVE-2025-53658
📋 TL;DR
Jenkins Applitools Eyes Plugin 1.16.5 and earlier contains a stored cross-site scripting (XSS) vulnerability where the Applitools URL is not properly escaped on build pages. Attackers with Item/Configure permission can inject malicious scripts that execute when users view affected build pages. This affects Jenkins instances using the vulnerable plugin version.
💻 Affected Systems
- Jenkins Applitools Eyes Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with Item/Configure permission could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full Jenkins compromise.
Likely Case
Attackers with Item/Configure permission inject malicious JavaScript that steals session cookies or performs unauthorized actions when users view build pages containing the malicious payload.
If Mitigated
With proper access controls limiting Item/Configure permissions to trusted users only, exploitation risk is significantly reduced as attackers cannot inject malicious scripts.
🎯 Exploit Status
Exploitation requires Item/Configure permission. The vulnerability is stored XSS, meaning malicious payload persists until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.6 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3509
Restart Required: Yes
Instructions:
1. Update Jenkins Applitools Eyes Plugin to version 1.16.6 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.
🔧 Temporary Workarounds
Restrict Item/Configure Permissions
allLimit Item/Configure permissions to only trusted administrators to prevent unauthorized users from injecting malicious scripts.
Configure via Jenkins Role-Based Authorization Strategy or Matrix Authorization Strategy plugins
🧯 If You Can't Patch
- Review and restrict Item/Configure permissions to minimal necessary users only
- Monitor build page content for suspicious script tags or unusual URLs in Applitools fields
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Applitools Eyes Plugin version. If version is 1.16.5 or earlier, the system is vulnerable.Check Version:
Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or via CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep applitoolsVerify Fix Applied:
Verify Applitools Eyes Plugin version is 1.16.6 or later in Jenkins Plugin Manager > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to job configurations by users with Item/Configure permission
- JavaScript errors or unusual activity on build pages
Network Indicators:
- Outbound connections to unexpected domains from Jenkins server when viewing build pages
SIEM Query:
source="jenkins.log" AND ("applitools" OR "build page") AND ("script" OR "javascript" OR "malicious")