CVE-2025-53678 — Jenkins User1st uTester Plugin vulnerability exposes unencrypted token to authen

Description

Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

How to fix CVE-2025-53678

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-53678 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53678
PATCHgithub.com/jenkinsci/user1st-utester-plugin
WEBwww.jenkins.io/security/advisory/2025-07-09/#SECURITY-3518
WEBwww.openwall.com/lists/oss-security/2025/07/09/4