CVE-2025-53743 – Jenkins Applitools Eyes Plugin versions 1.16.5 ... (How to Fix)

Q: What is the severity of CVE-2025-53743?

CVE-2025-53743 has a CVSS score of 5.3 (MEDIUM). Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier expose Applitools API keys in plain text on job configuration forms. This allows attackers with access to Jenkins configuration interfaces to capture these sensitive credentials. Organizations using vulnerable plugin versions are affected.

📋 TL;DR

Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier expose Applitools API keys in plain text on job configuration forms. This allows attackers with access to Jenkins configuration interfaces to capture these sensitive credentials. Organizations using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Jenkins Applitools Eyes Plugin

Versions: 1.16.5 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration; any Jenkins instance with the plugin installed is vulnerable.

📦 What is this software?

Applitools Eyes by Jenkins

View all CVEs affecting Applitools Eyes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers capture API keys and gain unauthorized access to Applitools services, potentially compromising visual testing results, accessing proprietary application screenshots, or incurring financial costs through API abuse.

🟠

Likely Case

Internal users or attackers with Jenkins access capture API keys, leading to unauthorized Applitools account access and potential data exposure.

🟢

If Mitigated

With proper access controls limiting Jenkins configuration access, risk is reduced to authorized users only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Jenkins job configuration interface; no authentication bypass needed if user already has configuration access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.16.6 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3510

Restart Required: Yes

Instructions:

1. Access Jenkins Manage Jenkins > Manage Plugins
2. Go to Available tab and search for 'Applitools Eyes Plugin'
3. Install version 1.16.6 or later
4. Restart Jenkins after installation

🔧 Temporary Workarounds

Restrict Jenkins Configuration Access

all

Limit access to Jenkins job configuration pages to only authorized administrators

Rotate Applitools API Keys

all

Generate new API keys in Applitools dashboard and update Jenkins configurations

🧯 If You Can't Patch

Implement strict access controls on Jenkins configuration interfaces
Regularly rotate Applitools API keys and audit their usage

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Applitools Eyes Plugin version; if version is 1.16.5 or earlier, system is vulnerable.

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"applitools-eyes","version":"[^"]*"'

Verify Fix Applied:

Verify plugin version is 1.16.6 or later in Manage Jenkins > Manage Plugins > Installed tab.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to /job/*/configure pages
Multiple failed authentication attempts to Jenkins configuration interfaces

Network Indicators:

Unusual API calls to Applitools services from unexpected IPs

SIEM Query:

source="jenkins.log" AND (uri_path="/job/*/configure" OR message="*configure*" AND user!="admin_users")

📊 Metadata

CVE ID: CVE-2025-53743

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-522

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: July 9, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53743, you might also want to check these: