CVE-2025-53661: Jenkins Testsigma Test Plan vulnerability exposes API keys via job configuration form

July 9, 2025

Jenkins Testsigma Test Plan run Plugin stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration.

While these API keys are stored encrypted on disk, in Testsigma Test Plan run Plugin 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

References

github.com/advisories/GHSA-8wp4-r84g-gcmw
github.com/jenkinsci/testsigma-plugin
nvd.nist.gov/vuln/detail/CVE-2025-53661
www.jenkins.io/security/advisory/2025-07-09/

Code Behaviors & Features

Detect and mitigate CVE-2025-53661 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →