CVE-2025-53103: 
Java vulnerability analysis and mitigation

JUnit's OpenTestReportGeneratingListener, a component of the testing framework for Java and JVM, contains a security vulnerability (CVE-2025-53103) that can potentially leak Git credentials. This vulnerability affects versions 5.12.0 to 5.13.1, where the support for writing Open Test Reporting XML files can expose sensitive Git authentication tokens. The vulnerability was discovered and disclosed on July 1, 2025, and has been patched in version 5.13.2 (GitHub Advisory).

The vulnerability exists in the OpenTestReportGeneratingListener component which captures and includes Git repository information in XML reports. When a repository is cloned using authentication tokens (e.g., git clone https://${GHAPP}:${GHTOKEN}@github.com/example/example.git), these credentials are captured and exposed in the generated reports. The vulnerability has been assigned a CVSS v3.1 score of 5.8 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N, indicating local access required but high potential impact on confidentiality and integrity (GitHub Advisory).

The severity of the impact depends on the level of access granted by the exposed credentials. If test reports containing these credentials are published or stored in publicly accessible locations, malicious actors could potentially steal the tokens and perform elevated actions by impersonating the user or application. This could lead to unauthorized access to repositories and potential compromise of associated systems (GitHub Advisory).

The vulnerability has been patched in JUnit version 5.13.2. The fix includes two main changes: credentials in URLs are now replaced with '*', and Git metadata inclusion in XML output has been made an opt-in feature that must be explicitly enabled via the new configuration parameter 'junit.platform.reporting.open.xml.git.enabled=true'. Users are strongly advised to upgrade to version 5.13.2 or later (GitHub Advisory, GitHub Commit).