CVE-2025-53652

HIGH

Jenkins Git Parameter Plugin <439 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-53652. PoCs published by pl4tyz.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-53652, a command injection vulnerability in the Jenkins Git Parameter Plugin. It explains how unsanitized user input from build parameters is passed to Git CLI commands, enabling remote code execution.

Description

Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

Exploits (1)

nomisec WRITEUP 1 stars
by pl4tyz · poc
https://github.com/pl4tyz/CVE-2025-53652-Jenkins-Git-Parameter-Analysis

This repository provides a detailed technical analysis of CVE-2025-53652, a command injection vulnerability in the Jenkins Git Parameter Plugin. It explains how unsanitized user input from build parameters is passed to Git CLI commands, enabling remote code execution.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins Git Parameter Plugin
Auth required
Prerequisites: Access to Jenkins build parameters · Git Parameter Plugin installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.2
EPSS 0.0007
EPSS Percentile 21.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (2)
jenkins/git_parameter < 444.vca_b_84d3703c2
org.jenkins-ci.tools/git-parameter 0 - 444.vcaMaven
Published Jul 09, 2025
Tracked Since Feb 18, 2026