The vulnerability identified as CVE-2025-53742 affects the Jenkins Applitools Eyes Plugin version 1.16.5 and earlier. This plugin is used within Jenkins, a widely adopted open-source automation server, to integrate Applitools Eyes for visual UI testing. The core issue is that the plugin stores Applitools API keys unencrypted within the job configuration files (config.xml) on the Jenkins controller. These configuration files are accessible to users who have Item/Extended Read permissions or those with access to the Jenkins controller's file system. Because the API keys are stored in plaintext, unauthorized users with these access levels can easily retrieve sensitive credentials. This exposure risks unauthorized use of the Applitools API, potentially leading to misuse of the visual testing service, data leakage, or further compromise of the Jenkins environment. The vulnerability does not require elevated privileges beyond Item/Extended Read or file system access, which may be granted to a broad set of users in some organizations. No CVSS score has been assigned yet, and there are no known exploits in the wild at this time. However, the vulnerability is significant due to the sensitive nature of API keys and the common use of Jenkins in continuous integration/continuous deployment (CI/CD) pipelines.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of their CI/CD pipelines. Jenkins is widely used across Europe in software development and DevOps environments, including in sectors such as finance, manufacturing, telecommunications, and government. Exposure of Applitools API keys could allow attackers or unauthorized insiders to manipulate visual testing results, inject malicious code, or disrupt automated testing workflows. This could lead to the deployment of faulty or compromised software, impacting business operations and potentially causing regulatory compliance issues under GDPR if personal data is involved in the pipeline. Additionally, unauthorized use of API keys could incur financial costs or service disruptions. The risk is heightened in organizations with large development teams where permissions may be broadly assigned, increasing the attack surface. Since the vulnerability requires only read access to job configurations or file system access, it could be exploited by insiders or attackers who have gained limited access to the Jenkins environment.

To mitigate this vulnerability, organizations should immediately upgrade the Jenkins Applitools Eyes Plugin to a version that encrypts API keys or otherwise secures sensitive credentials. If an updated plugin version is not yet available, administrators should restrict Item/Extended Read permissions strictly to trusted users and audit existing permissions to minimize exposure. Access to the Jenkins controller file system should be tightly controlled and monitored. Additionally, organizations should rotate any exposed Applitools API keys to invalidate compromised credentials. Implementing Jenkins credential management best practices, such as using Jenkins Credentials Plugin to store secrets securely rather than embedding them in job config files, is recommended. Regularly auditing Jenkins job configurations for plaintext secrets and enforcing least privilege principles for Jenkins users will reduce risk. Monitoring Jenkins logs and access patterns for suspicious activity related to configuration file access can help detect exploitation attempts early.