Jenkins setup:
Jenkins: 2.516.3
OS: Linux - 5.15.0-1096-azure
Java: 21.0.8 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
Office-365-Connector:5.2.0
allure-jenkins-plugin:2.32.0
ansicolor:1.0.6
antisamy-markup-formatter:173.v680e3a_b_69ff3
apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83
apache-httpcomponents-client-5-api:5.5-170.v023de017ccd7
asm-api:9.8-163.vb_2a_96d3f9c3c
authentication-tokens:1.144.v5ff4a_5ec5c33
authorize-project:2.0.0
basic-branch-build-strategies:275.vde2351b_4a_58b_
bootstrap5-api:5.3.8-890.v1c5cf4fa_178e
bouncycastle-api:2.30.1.81-264.v95c79c0e772c
branch-api:2.1253.v6e7f7519f710
byte-buddy-api:1.17.7-181.ve4f4387cb_a_86
caffeine-api:3.2.2-178.v353b_8428ed56
checks-api:373.vfe7645102093
cloudbees-folder:6.1045.vb_ddd55e2d03f
command-launcher:123.v37cfdc92ef67
commons-compress-api:1.28.0-1
commons-lang3-api:3.18.0-98.v3a_674c06072d
commons-text-api:1.14.0-194.v804a_dc3a_1b_d8
configuration-as-code:1995.v540b_50a_eb_0c1
credentials:1447.v4cb_b_539b_5321
credentials-binding:702.vfe613e537e88
database:274.vea_2e859b_2661
database-postgresql:146.vd1a_f70b_56e0e
dependency-track:6.0.2
disable-github-multibranch-status:1.2
display-url-api:2.217.va_6b_de84cc74b_
durable-task:605.v9a_b_9040c9970
echarts-api:6.0.0-1146.v5c8f3b_8f0573
eddsa-api:0.3.0.1-19.vc432d923e5ee
font-awesome-api:7.0.1-859.v128d3a_efb_6e5
git:5.7.0
git-client:6.4.0
github:1.45.0
github-api:1.330-492.v3941a_032db_2a_
github-branch-source:1864.v411feec5e78e
github-checks:634.v371dc6d978a_3
github-pr-comment-build:134.ve7ff0b_719821
gson-api:2.13.2-173.va_a_092315913c
hashicorp-vault-plugin:371.v884a_4dd60fb_6
instance-identity:203.v15e81a_1b_7a_38
ionicons-api:94.vcc3065403257
jackson2-api:2.20.0-411.v6ef8fdee4fe9
jakarta-activation-api:2.1.3-2
jakarta-mail-api:2.1.3-3
javax-activation-api:1.2.0-8
javax-mail-api:1.6.2-11
jaxb:2.3.9-133.vb_ec76a_73f706
jdk-tool:83.v417146707a_3d
jjwt-api:0.11.5-120.v0268cf544b_89
job-dsl:1.93
joda-time-api:2.14.0-149.v1c3ce991d1b_9
jquery3-api:3.7.1-594.vb_3864f326cf0
json-api:20250517-173.v596efb_962a_31
json-path-api:2.9.0-190.veefca_05d5477
junit:1355.v45e2ea_65863c
kubernetes:4371.vb_33b_086d54a_1
kubernetes-client-api:7.3.1-256.v788a_0b_787114
kubernetes-credentials:206.vde31a_b_0f71a_c
mailer:522.va_995fa_cfb_8b_d
matrix-auth:3.2.8
matrix-project:858.vb_b_eb_9a_7ea_99e
metrics:4.2.33-484.v2fcd689980d1
mina-sshd-api-common:2.16.0-167.va_269f38cc024
mina-sshd-api-core:2.16.0-167.va_269f38cc024
multibranch-action-triggers:1.8.10
oic-auth:4.609.v9de140f63d01
okhttp-api:4.12.0-195.vc02552c04ffd
opentelemetry-api:1.49.0.82.vf56234f0d9c1
pipeline-build-step:571.v08a_fffd4b_0ce
pipeline-graph-analysis:245.v88f03631a_b_21
pipeline-groovy-lib:763.v13008816b_de7
pipeline-input-step:534.v352f0a_e98918
pipeline-milestone-step:138.v78ca_76831a_43
pipeline-model-api:2.2273.v643f36ed9e94
pipeline-model-definition:2.2273.v643f36ed9e94
pipeline-model-extensions:2.2273.v643f36ed9e94
pipeline-rest-api:2.38
pipeline-stage-step:322.vecffa_99f371c
pipeline-stage-tags-metadata:2.2273.v643f36ed9e94
pipeline-stage-view:2.38
pipeline-utility-steps:2.20.0
plain-credentials:199.v9f8e1f741799
plugin-util-api:6.1167.v022176c7e0ca_
postgresql-api:42.7.7-67.v70a_30b_84f58b_
prism-api:1.30.0-609.vf0a_df102d9a_f
remote-file:1.24
role-strategy:799.v5b_e7b_ecc231e
scm-api:709.v6c27075a_b_1c7
scmskip:82.v24fc1c6f381b_
script-security:1378.vf25626395f49
simple-theme-plugin:211.v5424a_5510e47
snakeyaml-api:2.3-125.v4d77857a_b_402
ssh-credentials:361.vb_f6760818e8c
ssh-slaves:3.1071.v0d059c7b_c555
sshd:3.353.v2b_d33c46e970
structs:353.v261ea_40a_80fb_
token-macro:477.vd4f0dc3cb_cf1
trilead-api:2.209.v0e69b_c43c245
uno-choice:2.8.8
variant:70.va_d9f17f859e0
workflow-aggregator:608.v67378e9d3db_1
workflow-api:1384.vdc05a_48f535f
workflow-basic-steps:1098.v808b_fd7f8cf4
workflow-cps:4204.v2894b_cd7b_92f
workflow-durable-task-step:1464.v2d3f5c68f84c
workflow-job:1546.v62a_c59c112dd
workflow-multibranch:821.vc3b_4ea_780798
workflow-scm-step:452.vdf1ca_c8d3a_87
workflow-step-api:706.v518c5dcb_24c0
workflow-support:989.va_20a_1a_57710a_
I’m running Jenkins LTS on Kubernetes, using the Organization Folder plugin (Multibranch), JCasC for configuration, and my secrets are stored as Kubernetes secrets. Our pipelines use credentials binding, and we trigger builds via GitHub webhooks. All plugins are up to date.
I frequently see the following exception in the Jenkins logs, even when no pipeline is running and Jenkins is otherwise “idle” (e.g., only organization scans or webhooks are being processed):
14091-2025-10-21 18:11:24.183+0000 [id=53323] WARNING o.j.p.w.s.d.DurableTaskStep$Execution#run
14092:java.util.regex.PatternSyntaxException: Illegal repetition near index 1
14093-[LF]> {AQAAABAAAQoQc5Rrl3D3MI9K0kQjxm0jEv8AAkYdfA2W46vYB15QWzS57Hmm8qu6AqvDfd+y0chrCXKntRnOL3UlOFLLvH+V8YJmZrmEpv+gFnoaZRIseykPs3dGazPHYWzb0lqG5ysLLk1Zv183TjTBVs5rwNxRsKEjBuYQkqxcB1x7/DffeqFdaF5ySGgnkm4K6F5wAkLodHDTyUA/USz71hM9Yz8pSYMeBh8Q9NJUlM
…} <varies in length>
14094-[LF]> ^
14095- at java.base/java.util.regex.Pattern.error(Unknown Source)
14096- at java.base/java.util.regex.Pattern.closure(Unknown Source)
14097- at java.base/java.util.regex.Pattern.sequence(Unknown Source)
14098- at java.base/java.util.regex.Pattern.expr(Unknown Source)
14099- at java.base/java.util.regex.Pattern.compile(Unknown Source)
14100- at java.base/java.util.regex.Pattern.(Unknown Source)
14101- at java.base/java.util.regex.Pattern.compile(Unknown Source)
14102- at PluginClassLoader for credentials-binding//org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Filter.lambda$decorateLogger$0(BindingStep.java:250)
What i’ve checked so far:
Plugins: All Jenkins and plugins are up to date.
credentials.xml <in /var/jenkins_home>: My credentials.xml only contains Jenkins-encrypted secrets (expected).
Mask Passwords plugin: Not installed.
The error always references a string starting with {AQAA...}, which I understand is Jenkins’ encrypted secret format. The error is thrown from credentials-binding masking logic, but I cannot find any source in my configuration that would be contributing this ciphertext as a mask.It happens during org scans/webhook processing — not only during pipeline execution.
What could be contributing Jenkins-encrypted secrets ({AQAA...}) as patterns to the credentials-binding masking filter when Jenkins is idle? Are there plugins or global config sources that could be feeding these ciphertexts into the masking filter at runtime, even if not written to disk?
And also, how can I track down the exact source of the bad mask being compiled as a regex?
Any help or pointers would be greatly appreciated! 