CVE-2025-53103: junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener
This vulnerability affects JUnit’s support for writing Open Test Reporting XML files which is an opt-in feature of junit-platform-reporting.
If a repository is cloned using a GitHub token or other credentials in its URL, for example:
git clone https://${GH_APP}:${GH_TOKEN}@github.com/example/example.git
The credentials are captured by OpenTestReportGeneratingListener which produces (trimmed for brevity):
<infrastructure>
<git:repository originUrl="https://username:token@github.com/example/example.git" />
</infrastructure>
References
- github.com/advisories/GHSA-m43g-m425-p68x
- github.com/junit-team/junit-framework
- github.com/junit-team/junit-framework/blob/6b7764dac92fd35cb348152d1b37f8726875a4e0/junit-platform-reporting/src/main/java/org/junit/platform/reporting/open/xml/OpenTestReportGeneratingListener.java
- github.com/junit-team/junit-framework/commit/d4fc834c8c1c0b3168cd030c13551d1d041f51bc
- github.com/junit-team/junit-framework/security/advisories/GHSA-m43g-m425-p68x
- nvd.nist.gov/vuln/detail/CVE-2025-53103
Code Behaviors & Features
Detect and mitigate CVE-2025-53103 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →