CVE-2025-31722 Overview
CVE-2025-31722 is a code injection vulnerability affecting the Jenkins Templating Engine Plugin version 2.5.3 and earlier. The vulnerability exists because libraries defined in folders are not subject to sandbox protection, enabling attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. This represents a significant security risk for organizations using Jenkins for CI/CD pipelines, as successful exploitation could lead to complete compromise of the Jenkins environment.
Critical Impact
Attackers with Item/Configure permission can bypass Groovy sandbox restrictions and execute arbitrary code on the Jenkins controller, potentially compromising the entire CI/CD infrastructure.
Affected Products
- Jenkins Templating Engine Plugin version 2.5.3 and earlier
- Jenkins installations with the Templating Engine Plugin installed
- CI/CD environments utilizing Jenkins Pipeline libraries
Discovery Timeline
- April 2, 2025 - CVE-2025-31722 published to NVD
- April 29, 2025 - Last updated in NVD database
Technical Details for CVE-2025-31722
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code - Code Injection). The Jenkins Templating Engine Plugin is designed to provide a framework for creating reusable, standardized pipeline templates. However, a critical security oversight allows libraries defined within folders to execute outside the Groovy sandbox protection mechanism.
The sandbox mechanism in Jenkins is a fundamental security control designed to prevent untrusted code from accessing sensitive Jenkins internals or the underlying operating system. When this protection is bypassed, attackers gain the ability to execute arbitrary Java and Groovy code with the full privileges of the Jenkins controller process.
The network-based attack vector with low complexity means that any authenticated user with Item/Configure permissions can exploit this vulnerability without requiring any user interaction. Given that Item/Configure is a relatively common permission granted to development teams for managing their own build jobs, the potential attack surface is substantial.
Root Cause
The root cause of this vulnerability stems from insufficient access control enforcement in the Templating Engine Plugin. When libraries are defined within Jenkins folders, the plugin fails to apply the expected sandbox restrictions that would normally contain and limit the execution capabilities of pipeline code. This oversight creates a pathway for privilege escalation from limited pipeline authoring permissions to full code execution on the Jenkins controller.
Attack Vector
The attack is network-accessible and requires low privileges (Item/Configure permission). An attacker who has legitimate access to configure Jenkins items can craft malicious library definitions within folders. These library definitions, when processed by the Templating Engine Plugin, execute outside the sandbox protections, allowing the attacker to:
- Access the Jenkins controller file system
- Execute arbitrary system commands
- Access credentials stored in Jenkins
- Modify or exfiltrate build artifacts and secrets
- Pivot to other systems accessible from the Jenkins controller
The vulnerability is particularly dangerous because it can be exploited by insider threats or through compromised developer accounts that have standard CI/CD access but not full administrative privileges.
Detection Methods for CVE-2025-31722
Indicators of Compromise
- Unusual library definitions within Jenkins folders that contain unexpected code patterns
- Jenkins controller logs showing execution of suspicious system commands or file operations
- Unexpected network connections originating from the Jenkins controller process
- Modifications to Jenkins configuration files or credential stores outside normal change windows
- Abnormal CPU or memory usage on the Jenkins controller indicating code execution
Detection Strategies
- Monitor Jenkins audit logs for configuration changes to items and folder-level library definitions
- Implement file integrity monitoring on the Jenkins controller to detect unauthorized changes
- Deploy endpoint detection solutions on the Jenkins controller to identify suspicious process execution
- Review Script Security plugin logs for sandbox bypass attempts or unusual approval requests
Monitoring Recommendations
- Enable comprehensive audit logging within Jenkins to track all configuration changes
- Configure alerts for any modifications to Templating Engine library definitions
- Implement network monitoring to detect unusual outbound connections from the Jenkins controller
- Regularly review user permissions, particularly Item/Configure access grants
How to Mitigate CVE-2025-31722
Immediate Actions Required
- Upgrade Jenkins Templating Engine Plugin to a patched version immediately
- Audit current folder-level library definitions for any suspicious or unauthorized code
- Review and restrict Item/Configure permissions to only essential personnel
- Enable Jenkins Script Security plugin and ensure approval workflows are enforced
- Consider temporarily disabling folder-level library functionality until patching is complete
Patch Information
Jenkins has released a security advisory addressing this vulnerability. Organizations should upgrade the Templating Engine Plugin to the latest available version that includes the sandbox enforcement fix. Refer to the Jenkins Security Advisory #SECURITY-3505 for specific version information and upgrade instructions.
Workarounds
- Restrict Item/Configure permissions to only trusted administrators until the plugin can be upgraded
- Disable or remove folder-level library definitions if they are not essential to operations
- Implement additional network segmentation around the Jenkins controller to limit blast radius
- Use Jenkins Pipeline Shared Libraries from external, controlled repositories instead of folder-defined libraries
# Review users with Item/Configure permission
# Check Jenkins configuration for Templating Engine plugin version
jenkins-cli.sh list-plugins | grep templating-engine
# Backup Jenkins configuration before upgrading
tar -czvf jenkins-backup-$(date +%Y%m%d).tar.gz $JENKINS_HOME
# Update the plugin via CLI (after downloading patched version)
jenkins-cli.sh install-plugin templating-engine -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
