Critical Jenkins Vulnerability Exposes Systems to Unauthenticated Denial-of-Service Attacks
Jenkins, a widely utilized open-source automation server, has recently addressed a critical security flaw that could allow unauthenticated attackers to execute denial-of-service (DoS) attacks via its HTTP-based command-line interface (CLI). This vulnerability, identified as CVE-2025-67635, affects Jenkins versions 2.540 and earlier, including Long-Term Support (LTS) versions up to 2.528.2.
Understanding the Vulnerability
The core issue lies in Jenkins’ improper handling of corrupted HTTP CLI connection streams. When such a stream becomes corrupted, the server fails to close the connection appropriately. This oversight allows malicious actors to send specially crafted requests that cause the server’s request-handling threads to wait indefinitely. As these threads accumulate, server resources are exhausted, leading to a complete denial of service.
Implications for Organizations
Given that this vulnerability can be exploited without authentication credentials and over the network, it poses a significant risk to organizations using Jenkins, especially those with instances exposed to untrusted networks or the public internet. Attackers can repeatedly exploit this flaw, rendering Jenkins servers unresponsive and disrupting critical continuous integration and deployment pipelines.
Mitigation Measures
To address this vulnerability, the Jenkins team has released patches in versions 2.541 and LTS 2.528.3. These updates ensure that HTTP-based CLI connections are properly closed when stream corruption occurs, preventing thread exhaustion and subsequent DoS attacks.
Administrators are strongly advised to upgrade their Jenkins installations to these patched versions immediately. For those unable to upgrade promptly, it is recommended to disable the HTTP-based CLI as a temporary workaround. Additionally, monitoring systems for unusual connection patterns or anomalies in thread counts can help detect potential exploitation attempts.
Broader Context of Jenkins Security
This recent vulnerability is part of a series of security challenges Jenkins has faced over the past year. In October 2025, a critical vulnerability (CVE-2024-23897) was discovered, allowing attackers to execute remote code via the built-in CLI. This flaw stemmed from a default-enabled parser feature in the CLI, enabling arbitrary file reads that could escalate to remote code execution. The Jenkins team addressed this issue by disabling the problematic parser feature in subsequent releases.
In November 2025, another significant vulnerability (CVE-2025-53652) was identified in the Git Parameter plugin, affecting approximately 15,000 Jenkins servers. This flaw allowed attackers to execute arbitrary commands due to insufficient input validation in parameter definitions. The widespread adoption of Jenkins in DevOps environments made this vulnerability particularly concerning, as it could lead to unauthorized access and potential system compromise.
Furthermore, in December 2025, Jenkins addressed multiple vulnerabilities that could allow attackers to cause denial-of-service attacks or access sensitive configuration details. One notable issue (CVE-2025-5115) involved the Winstone-Jetty HTTP/2 implementation, where an outdated Jetty version was vulnerable to a DoS attack known as MadeYouReset. This flaw affected Jenkins versions 2.523 and earlier when HTTP/2 was enabled. The Jenkins team resolved this by updating Jetty to a secure version and advising administrators to disable HTTP/2 support if immediate upgrading wasn’t feasible.
Conclusion
The recent discovery of CVE-2025-67635 underscores the importance of proactive security measures for organizations relying on Jenkins for their CI/CD pipelines. Regularly updating Jenkins installations, promptly applying security patches, and monitoring for unusual system behaviors are crucial steps in safeguarding against potential exploits. As Jenkins continues to be a cornerstone in software development workflows, maintaining its security is paramount to ensure the integrity and availability of development processes.
