{“lastseen”:”2025-08-18T21:27:17″,”description”:”# Pipeline: Groovy Plugin\\n\\n[](https:\/\/plugins.jenkins.io\/workflow-cps)\\n[](https:\/\/github.com\/jenkinsci\/workflow-cps-plugin\/blob\/master\/CHANGELOG.md)\\n[](https:\/\/plugins.jenkins.io\/workflow-cps)\\n\\n## Introduction\\n\\nA key component of the Pipeline plugin suite, this provides the standard execution engine for Pipeline steps, based on a custom [Groovy](http:\/\/www.groovy-lang.org\/) interpreter that runs inside the Jenkins controller process.\\n\\n(In principle other execution engines could be supported, with `FlowDefinition` being the API entry point, but none has been prototyped and it would likely be a very substantial effort to write one.)\\n\\nPipeline Groovy script code such as\\n\\n“`groovy\\nretry(3) {\\nfor (int i = 0; i \\u003c 10; i++) {\\n branches[\\”branch${i}\\”] = {\\n node {\\n retry(3) {\\n checkout scm\\n }\\n sh ‘make world’\\n }\\n }\\n}\\nparallel branches\\n“`\\n\\ngets run as a Groovy program, with certain special function calls called *steps* performing Jenkins-specific operations.\\nIn this example the step `parallel` is defined in this plugin, while `node`, `retry`, `checkout`, and `sh` are defined in other plugins in the Pipeline suite. The `scm` global variable is defined in the Pipeline Multibranch plugin.\\n\\nThe Groovy script is compiled to a class named `WorkflowScript`, so that is the name shown in stack traces instead of the script file-name (e.g. `Jenkinsfile`).\\n\\nUnlike a regular Groovy program run from a command line, the complete state of a Pipeline build\u2019s program is saved to disk every time an *asynchronous* operation is performed, which includes most Pipeline steps.\\nJenkins may be restarted while a build is running, and will resume running the program where it left off.\\nThis is not intended to be efficient, and so should be limited to high-level \u201cglue\u201d code directly related to Jenkins features;\\nyour project\u2019s own build logic should be run from external programs on a build node, in a `sh` or `bat` step.\\n\\n## Known limitations\\n\\nThe [Pipeline Groovy epic](https:\/\/issues.jenkins-ci.org\/browse\/JENKINS-35390) in JIRA covers some known limitations in the Groovy interpreter.\\nThese issues stem from the fact that Pipeline cannot run Groovy directly, but must intercept each operation to save the program state.\\n\\nThe [Pipeline Sandbox epic](https:\/\/issues.jenkins-ci.org\/browse\/JENKINS-35391) covers issues with the *Groovy sandbox* used to prevent malicious Pipeline scripts from taking control of Jenkins.\\nScripts run with the sandbox disabled can make direct calls to Jenkins internal APIs, which can be a useful workaround for missing step functionality, but for security reasons only administrators can approve such scripts.\\n\\nThe [Pipeline Snippet Generator epic](https:\/\/issues.jenkins-ci.org\/browse\/JENKINS-35393) covers issues with the tool used to provide samples of step syntax based on live configuration forms.\\n\\n## History\\n\\nThis plugin was previously the \\”Workflow CPS plugin\\” or \\”Workflow Groovy Plugin\\”. Accordingly it has the Maven `artifactId` `workflow-cps`, not `pipeline-groovy`.\\n\\n## Technical design\\n\\nThe plugin uses the [Groovy CPS library](https:\/\/github.com\/cloudbees\/groovy-cps\/) to implement a [continuation-passing style transformation](https:\/\/en.wikipedia.org\/wiki\/Continuation-passing_style) on the program as it is compiled.\\nThe standard Groovy compiler is used to create the AST, but generation of bytecode is intercepted by a `CompilationCustomizer` which replaces most operations with variants that throw a special \u201cerror\u201d, `CpsCallableInvocation`.\\nThis is then caught by the engine, which uses information from it (such as arguments about to be passed to a method call) to pass control on to the next continuation.\\n\\nPipeline scripts may mark designated methods with the annotation `@NonCPS`.\\nThese are then compiled normally (except for sandbox security checks), and so behave much like \u201cbinary\u201d methods from the Java Platform, Groovy runtime, or Jenkins core or plugin code.\\n`@NonCPS` methods may safely use non-`Serializable` objects as local variables, though they should not accept nonserializable parameters or return or store nonserializable values.\\nYou may not call regular (CPS-transformed) methods, or Pipeline steps, from a `@NonCPS` method, so they are best used for performing some calculations before passing a summary back to the main script.\\nNote in particular that `@Override`s of methods defined in binary classes,\\nsuch as `Object.toString()`,\\nshould in general be marked `@NonCPS` since it will commonly be binary code calling them.\\n\\nSome kinds of objects are intrinsically not safe to serialize as such, yet we want to retain a reference to them in the program graph.\\nAn example is the `Executor` (~ executor slot on a built-in or agent node) which is part of the context passed by a `node` step to any step in its block, especially `sh`\/`bat`.\\nPipeline uses the `Pickle` API to substitute serialization-safe versions of these objects.\\nWhen a `WorkflowRun` is loaded from disk after a restart, the program state is deserialized, and pickles are deserialized (\u201crehydrated\u201d) in parallel.\\nIf and when all pickles are successfully deserialized and the resulting objects placed back in the program state, the program begins running again, and `StepExecution.onResume` is called to restore timers and the like.\\n\\nAll program logic is run inside a \u201cCPS VM thread\u201d, which is just a Java thread pool that can run binary methods and figure out which continuation to do next.\\nThe `parallel` step uses \u201cgreen threads\u201d (also known as co\u00f6perative multitasking): it records logical thread (~ branch) names for various actions, but does not literally run them simultaneously.\\nThe program may seem to perform tasks concurrently, but only because most steps run asynchronously, while the VM thread is idle, and they may overlap in time.\\nNo Java thread is consumed except during the typically brief intervals when Groovy code is actually being run on the VM thread.\\nThe executor widget only displays an entry for the \u201cflyweight\u201d executor on the built-in node when the VM thread is busy; normally it is hidden.\\n”,”published”:”2025-08-17T06:40:10″,”modified”:”2025-08-17T06:41:02″,”type”:”githubexploit”,”title”:”Exploit for OS Command Injection in Jenkins Pipeline\\\\:_Groovy”,”source”:””,”references”:””,”id”:”E70A90E3-A691-580C-9098-8330B9CB9FEB”,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-25173″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/github.com\/shoucheng3\/jenkinsci__workflow-cps-plugin_CVE-2022-25173_2646-v6ed3b5b01ff1″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-18T21:27:17″,”description”:”# Pipeline: Groovy Plugin\\n\\n[](https:\/\/plugins.jenkins.io\/workflow-cps)\\n[](https:\/\/github.com\/jenkinsci\/workflow-cps-plugin\/blob\/master\/CHANGELOG.md)\\n[](https:\/\/plugins.jenkins.io\/workflow-cps)\\n\\n## Introduction\\n\\nA key component of the Pipeline plugin suite, this provides the standard execution engine for Pipeline steps, based…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,32,15,13,7,11,5],"class_list":["post-13374","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-githubexploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n