Sandbox Bypass vulnerability disclosed in Jenkins Templating Engine (JTE) (CVE-2025-31722)

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory discusses a recent sandbox security bypass that affected the Jenkins Templating Engine (JTE).
Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and low vulnerabilities.
Vulnerability Details
SQL Injection
CVSSv4.0
8.8
Severity
High
Vulnerable Versions
Jenkins Templating Engine Plugin 2.5.3
Description
The Templating Engine Plugin enables the defining of libraries both globally and within specific folders containing the pipelines that use them. While globally configured libraries can only be set up by administrators and are therefore considered secure, libraries defined within folders can be modified by users with Item/Configure permissions.
In Templating Engine Plugin 2.5.3 and earlier, folder-scoped libraries are not protected by a sandbox, creating a security vulnerability. This flaw allows users with Item/Configure permissions to execute arbitrary code within the Jenkins controller JVM, potentially leading to unauthorized system access and execution of malicious commands.
Recommendations
Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.
Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Monitoring and logging malicious activities across the network: Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
To mitigate risks associated with End-of-Life (EOL) products: Organizations should proactively identify and assess their criticality, then plan for timely upgrades or replacements.
Conclusion
The Templating Engine Plugin for Jenkins is a powerful tool that enables the use of reusable libraries for pipeline development, improving efficiency and maintainability. However, a recently discovered security vulnerability in older versions of the plugin poses a risk of unauthorized code execution within the Jenkins environment. If exploited, this could lead to system compromise or further security breaches. To maintain a secure CI/CD pipeline, it is strongly recommended to apply the latest patches and follow best practices for access control and library management.





