Headline
GHSA-vmm2-53rc-43v3: Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64145
Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
Moderate severity GitHub Reviewed Published Oct 29, 2025 to the GitHub Advisory Database • Updated Oct 29, 2025
Package
maven io.jenkins.plugins:byteguard-build-actions (Maven)
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-64145
- https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560
Published to the GitHub Advisory Database
Oct 29, 2025
Last updated
Oct 29, 2025