CVE-2025-31722

HIGH

Jenkins Templating Engine Plugin <2.5.3 - RCE

Title source: llm

Description

In Jenkins Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Exploits (2)

nomisec WORKING POC

by h3raklez · poc

https://github.com/h3raklez/CVE-2025-31722

View Code ZIP pw:eip

nomisec NO CODE

by Nick6371 · poc

https://github.com/Nick6371/CVE-2025-31722

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3505

Scores

CVSS v3 8.8

EPSS 0.0114

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

jenkins/templating_engine < 2.5.4

org.jenkins-ci.plugins/templating-engine 0 - 2.5.4Maven

Published Apr 02, 2025

Tracked Since Feb 18, 2026