CVE-2025-53103

JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are published or stored anywhere public, then there is the possibility that a rouge attacker can steal the token and perform elevated actions by impersonating the user or app. This issue as been patched in version 5.13.2.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.6 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/junit-team/junit-framework/commit/d4fc834c8c1c0b3168cd030c13551d1d041f51bc
https://github.com/junit-team/junit-framework/security/advisories/GHSA-m43g-m425-p68x

Configurations

No configuration.

History

03 Jul 2025, 15:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-01 18:15

Updated : 2025-07-03 15:14

NVD link : CVE-2025-53103

Mitre link : CVE-2025-53103

CVE.ORG link : CVE-2025-53103

JSON object : View

Products Affected

No product.

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2025-53103", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.6}]}, "published": "2025-07-01T18:15:25.837", "references": [{"url": "https://github.com/junit-team/junit-framework/commit/d4fc834c8c1c0b3168cd030c13551d1d041f51bc", "source": "security-advisories@github.com"}, {"url": "https://github.com/junit-team/junit-framework/security/advisories/GHSA-m43g-m425-p68x", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are published or stored anywhere public, then there is the possibility that a rouge attacker can steal the token and perform elevated actions by impersonating the user or app. This issue as been patched in version 5.13.2."}, {"lang": "es", "value": "JUnit es un framework de pruebas para Java y la JVM. Desde la versi\u00f3n 5.12.0 hasta la 5.13.1, la compatibilidad de JUnit con la escritura de archivos XML de Open Test Reporting puede filtrar credenciales de Git. El impacto depende del nivel del token de acceso expuesto a trav\u00e9s de OpenTestReportGeneratingListener. Si estos informes de prueba se publican o almacenan en un lugar p\u00fablico, existe la posibilidad de que un atacante malintencionado robe el token y realice acciones elevadas suplantando la identidad del usuario o la aplicaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 5.13.2."}], "lastModified": "2025-07-03T15:14:12.767", "sourceIdentifier": "security-advisories@github.com"}