CVE-2025-53668: 
Java vulnerability analysis and mitigation

CVE-2025-53668 affects the Jenkins VAddy Plugin versions 1.2.8 and earlier. The vulnerability was discovered and reported by Romuald Moisan and Vincent Lardet from Aix Marseille University, and was publicly disclosed on July 9, 2025. This security issue involves the insecure storage of Vaddy API Auth Keys in the Jenkins controller's job config.xml files (Jenkins Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from the plugin storing sensitive Vaddy API Auth Keys in an unencrypted format within the job config.xml files on the Jenkins controller. The vulnerability is categorized under CWE-311 (Missing Encryption of Sensitive Data) (CISA-ADP).

The vulnerability exposes sensitive API Auth Keys to unauthorized access. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these unencrypted keys. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them (Jenkins Advisory).

As of the advisory's publication date (July 9, 2025), no fix is available for this vulnerability. Organizations using the affected versions of the VAddy Plugin (1.2.8 and earlier) should consider implementing additional access controls to restrict access to the Jenkins controller file system and carefully manage Item/Extended Read permissions (Jenkins Advisory).