Cyber Resilience

CVE-2025-31722

HighRCE

Published: 02 April 2025

Published
02 April 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0091 76.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31722 is a high-severity Code Injection (CWE-94) vulnerability in Jenkins Templating Engine. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 23.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability affects the Jenkins Templating Engine Plugin versions 2.5.3 and earlier. Libraries defined within folders bypass the plugin's sandbox protections entirely, exposing a code injection flaw (CWE-94) that permits execution of attacker-supplied code inside the Jenkins controller JVM. The issue carries a CVSS 3.1 base score of 8.8.

An attacker who already possesses Item/Configure permission on a folder can define a malicious library that runs without sandbox restrictions, achieving arbitrary code execution on the controller with full access to its runtime environment and any connected agents or credentials.

The official Jenkins security advisory published on 2025-04-02 under SECURITY-3505 describes the flaw and the corresponding plugin update that restores sandbox enforcement for folder-scoped libraries. The associated EPSS score remains low, with a current value of 0.0091 and a peak of 0.0114.

EU & UK References

Vulnerability details

In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
templating engine
≤ 2.5.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References