{"id":"CVE-2025-53652","details":"Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.","aliases":["GHSA-qcj2-99cg-mppf"],"modified":"2026-04-12T18:19:45.471622Z","published":"2025-07-09T16:15:24.627Z","references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/07/09/4"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3419"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/git-parameter-plugin","events":[{"introduced":"0"},{"fixed":"cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"444.vca_b_84d3703c2"}]}}],"versions":["0.1","435.va_f85861c663a_","439.vb_0e46ca_14534","git-parameter-0.10.0","git-parameter-0.11.0","git-parameter-0.3","git-parameter-0.3.1","git-parameter-0.3.2","git-parameter-0.4","git-parameter-0.5.0","git-parameter-0.5.1","git-parameter-0.6.0","git-parameter-0.6.1","git-parameter-0.6.2","git-parameter-0.7.0","git-parameter-0.7.1","git-parameter-0.7.2","git-parameter-0.8.0","git-parameter-0.8.1","git-parameter-0.9.0","git-parameter-0.9.1","git-parameter-0.9.10","git-parameter-0.9.11","git-parameter-0.9.14","git-parameter-0.9.15","git-parameter-0.9.16","git-parameter-0.9.17","git-parameter-0.9.18","git-parameter-0.9.19","git-parameter-0.9.2","git-parameter-0.9.3","git-parameter-0.9.4","git-parameter-0.9.5","git-parameter-0.9.6","git-parameter-0.9.7","git-parameter-0.9.8","git-parameter-0.9.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T18:19:45Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53652.json","vanir_signatures":[{"deprecated":false,"signature_type":"Line","signature_version":"v1","id":"CVE-2025-53652-0cfb5c49","digest":{"threshold":0.9,"line_hashes":["247852759108344206703683741608172811836","12098483850384789815535080231725256348","301367098557106064063893473498294697881","274145913186742816583972868894044491817","58347669267173480256042566413502050212","260512438100408296625036717499189503172","260699823175587900738993132981101546738","201919480817792300242177410549658241308","45292331578593434882435913744168383751","305969285095359155050654361978054257689","250351770550445053549698387379903448942","261860232353080491846282646981802404650","72607955420235091598328391827389909888","243443896694564794269985525859725640291","189004989577463225775065359587687136090","141732207185145053526979765452127686965","217788632978530884579872083575638418171","46232392381016838791775325606905976542","304814471678181674591737602852442564479","189004989577463225775065359587687136090","141732207185145053526979765452127686965","127594330974238234288325491822892053024","191488663979185575676957903785225315189","120883065382415035084531202178689250556","95341027150205394868445267906684861231","25665655743958956351384749378517185168","98237768380414132868101733140358363660"]},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/test/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinitionTest.java"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-2dd0b320","digest":{"length":391,"function_hash":"276063246869036378287391009725022596816"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/main/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinition.java","function":"createValue"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-3eb4513e","digest":{"length":433,"function_hash":"328399344852487622954416842516327472836"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/main/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinition.java","function":"createValue"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-48dcb6e7","digest":{"length":762,"function_hash":"76233740115023826834770330821916625511"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/main/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinition.java","function":"createValue"}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","id":"CVE-2025-53652-50725f5a","digest":{"threshold":0.9,"line_hashes":["304563847348087773240250205245130058473","115755731256790920998689758610067400546","5213164769890432287681514436285459022","257387485791049399801001439152277719643","65033236984947083960656513424656184556","259116711565813227094334713959691882092","168234735068990741594125819440354668250","220163518346790988817120585150481377654","286792114291541325041369149993045748335","120128739935198051949338309459005914634","219935490809323248598569670752072555355","154553756273105820402908300522609805879","13794311570089954756690935485655809383","267176384137022554016261386481085290553","150860428831057686443874724865900587768","212516999470766340871181418503397288580","252304887671479438505218009313484188409","75177225867903411820702094366343708676","150860428831057686443874724865900587768"]},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/test/java/net/uaznia/lukanus/hudson/plugins/gitparameter/BasicTests.java"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-7e3ae674","digest":{"length":1271,"function_hash":"229488133641583388209848333222760864792"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/main/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinition.java","function":"generateContents"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-842084f1","digest":{"length":329,"function_hash":"2149606632759772544003635873082564608"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/test/java/net/uaznia/lukanus/hudson/plugins/gitparameter/BasicTests.java","function":"testSetDefaultValue"}},{"deprecated":false,"signature_type":"Line","signature_version":"v1","id":"CVE-2025-53652-9b525881","digest":{"threshold":0.9,"line_hashes":["317222927104549297092308414129502381531","135263463357805037170531748819188886335","121588687431040458697496046904275293825","150509804551708735726432233908845161294","299513848815565711264313205188779427626","165605015653395246675223184018261577892","232006119002535624066077252926466477962","304603058319691908439999157271861125974","196107211808676751592568103586711515419","8328881223620729769574882563211041259","51272167915708638130724602208156291542","187944747207602413456109142374532079851","44069883351191058814333816698163142237","152289311671387390137866691760906437504","6655336306704625718540664854879601687","176526362033157555597892036735517957420","94609421146563559264144359073072639987","52636615271979058096336715229189790595","200039033739789172234210198905756111297","293051734407200069584901717668919290199","308653174931063837385372942842110214215","272312723186367884659288937432022791168","303645386441911492074009531667204236475","54212646012821300908243489153389341080","105381920305168185255649054617942757495","112929286134793420147616853669360861751","181918489288757924884436667448866833390","28105888420563480887978371514776267175","73103573007616758962568946076297352017","100848618077636672286795074264887110408","306021847262832315797832772643095096606","304923143075629207131142966212974556707","59907237226975683511178246683745272830","21925894871764542660997397550991290985","33037336121255938994363385915714752789","31418392602401825084120196660815691313","287157182107892377429735387267292151708","30363825826767883758304535958411726451","237272071928605187165486849229636490592","257983561637512165595593711240857856071","162654406556779675614572921919188506646","113418043594450632430170513771895996440","26920141036484953558601128802077385791","275026688547941954024047457359828491171","37640968855930274975741218638757027649","183329372711069268330173128888644173215","34947283634402798198933235127273897368","106417643519545594835193652034484213298","283382170725011212537251088983124944504","107812618202838672344572697060595343914","127567416826857942910679917834858021710","27635012309373304213923460686628622007","311338302220434315372600694167068944904","12717222345274261259424217091903828252","287304379735189620048477067747623886827","167587098647380819817076430626163002274","203136956569366929362221800506773310591","198621149513251406181953453509931112674","244788807336906145726171357662141297052","132837457682424067964775563451762790359","32794285712832785695515777286937914314","312089532166199934906617450366595324944","326713815007317597828013242258483139265","264527352043985158698347035445633603668","284761807200456930049496616992743386888","128096000918750408099724450740951026440","316454123505783417913207875629035994603","70887388275696832681910912752875237004","57330422833017089298040372728634670822","139778972194720638045460227424297738168","40616718655052210945514101417661551982","143950441758431542700352335976461656487"]},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/main/java/net/uaznia/lukanus/hudson/plugins/gitparameter/GitParameterDefinition.java"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-e4c820a6","digest":{"length":300,"function_hash":"54182095142155487686919482538093905188"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/test/java/net/uaznia/lukanus/hudson/plugins/gitparameter/BasicTests.java","function":"testGetDefaultValue"}},{"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2025-53652-e7632fce","digest":{"length":551,"function_hash":"253365234296552605195625092522870981298"},"source":"https://github.com/jenkinsci/git-parameter-plugin/commit/cab84d3703c267dbdf3e1b4a06fcc51bbed4fcba","target":{"file":"src/test/java/net/uaznia/lukanus/hudson/plugins/gitparameter/BasicTests.java","function":"testCreateValue_StaplerRequest2_JSONObject"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}