CVE-2025-53662: 
Java vulnerability analysis and mitigation

CVE-2025-53662 affects the Jenkins IFTTT Build Notifier Plugin versions 1.2 and earlier. The vulnerability was discovered and disclosed on July 9, 2025, by Aris ISSAD from Aix Marseille University. This security issue impacts the plugin's handling of IFTTT Maker Channel Keys, which are essential for integration between Jenkins and IFTTT services (Jenkins Advisory, NVD).

The vulnerability is classified as a plaintext storage of sensitive credentials (CWE-256) with a CVSS v3.1 base score of 6.5 (Medium). The technical issue stems from the plugin storing IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller. These credentials are accessible to users with Item/Extended Read permission or anyone with access to the Jenkins controller file system (Jenkins Advisory, CISA-ADP).

The vulnerability exposes sensitive IFTTT Maker Channel Keys to unauthorized access. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these unencrypted keys, potentially leading to unauthorized access to IFTTT services and compromising the integrity of automated build notifications (Jenkins Advisory).

As of the advisory publication on July 9, 2025, no official fix is available for this vulnerability. Organizations using the affected versions of the IFTTT Build Notifier Plugin should carefully review and restrict access permissions to both the Jenkins controller file system and Item/Extended Read permissions to minimize potential exposure (Jenkins Advisory).