CVE-2025-53103: 
Java vulnerability analysis and mitigation

JUnit's support for writing Open Test Reporting XML files was found to contain a credential exposure vulnerability (CVE-2025-53103) affecting versions 5.12.0 to 5.13.1. The vulnerability allows Git credentials to be leaked through the OpenTestReportGeneratingListener when generating test reports. This security issue was discovered on July 1, 2025, and has been patched in version 5.13.2 (GitHub Advisory).

The vulnerability occurs when a repository is cloned using credentials in its URL (e.g., https://${GH_APP}:${GH_TOKEN}@github.com/example/example.git). The OpenTestReportGeneratingListener captures these credentials and includes them in the generated XML report. The issue has been assigned a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N, indicating local access required, low attack complexity, high privileges required, and user interaction needed (NVD).

The severity of the impact depends on the level of access granted by the exposed token. If test reports containing these credentials are published or stored in public locations, attackers could potentially steal the tokens and perform elevated actions by impersonating the user or application. This could lead to unauthorized access and potential compromise of associated systems and repositories (GitHub Advisory).

The issue has been patched in JUnit version 5.13.2. The fix includes replacing credentials in URLs with '***' and making Git metadata inclusion in XML output an opt-in feature that must be explicitly enabled via the new configuration parameter 'junit.platform.reporting.open.xml.git.enabled=true'. Users are strongly advised to upgrade to version 5.13.2 or later (GitHub Advisory, GitHub Commit).