CVE-2025-31722: 
Java vulnerability analysis and mitigation

CVE-2025-31722 affects the Jenkins Templating Engine Plugin versions 2.5.3 and earlier. The vulnerability was discovered and disclosed on April 2, 2025. This security issue exists in the plugin's handling of libraries defined in folders, where these libraries are not subject to sandbox protection (Jenkins Advisory, NVD).

The vulnerability stems from a security control bypass in the Jenkins Templating Engine Plugin. The plugin allows libraries to be defined both in global configuration and in folders containing pipelines. While globally configured libraries require administrator privileges and are considered trusted, folder-defined libraries can be configured by users with Item/Configure permission. The critical security flaw is that these folder-defined libraries bypass sandbox protection, leading to potential code execution vulnerabilities. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Jenkins Advisory).

The vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. This represents a significant security risk as it could lead to complete system compromise within the Jenkins environment (Jenkins Advisory).

The vulnerability has been fixed in Jenkins Templating Engine Plugin version 2.5.4, which implements proper sandbox protection for libraries defined in folders. Users are strongly advised to upgrade to this version to mitigate the security risk (Jenkins Advisory).