Jenkins, the widely used open-source automation server, has recently issued critical updates to address four significant security vulnerabilities. These flaws could potentially allow unauthenticated and low-privileged attackers to disrupt services or access sensitive configuration details. Administrators utilizing Jenkins weekly releases up to version 2.527 or the Long-Term Support (LTS) stream up to version 2.516.2 are strongly advised to upgrade to mitigate these risks.
HTTP/2 Denial of Service Vulnerability (CVE-2025-5115)
A high-severity vulnerability has been identified in the Winstone-Jetty HTTP/2 implementation bundled with Jenkins core. This flaw, known as MadeYouReset, affects Jenkins versions 2.523 and earlier, as well as LTS versions 2.516.2 and earlier when HTTP/2 is enabled. Unauthenticated attackers can exploit this vulnerability by sending unchecked HTTP/2 frames, leading to resource exhaustion and server crashes. Notably, HTTP/2 is disabled by default in native installers and official Docker images. The issue has been addressed in Jenkins version 2.524 and LTS version 2.516.3 by updating Jetty to version 12.0.25. Administrators unable to upgrade immediately are advised to disable HTTP/2 support to prevent potential exploitation.
Permission-Check Omissions (CVE-2025-59474 and CVE-2025-59475)
Two medium-severity vulnerabilities have been discovered that allow unauthorized enumeration of internal components:
1. CVE-2025-59474: In Jenkins versions 2.527 and earlier (LTS 2.516.2 and earlier), the sidepanel executors widget fails to enforce Overall/Read permission. This oversight enables unauthenticated users to list agent names, potentially exposing internal system details.
2. CVE-2025-59475: A flaw in the authenticated user profile dropdown permits attackers with minimal privileges to discover installed plugins, such as the Credentials Plugin, by inspecting menu entries.
Both vulnerabilities have been resolved in Jenkins weekly release 2.528 and LTS version 2.516.3. The updates remove the vulnerable sidepanel and enforce stricter permission checks in profile menus to enhance security.
Log Message Injection Vulnerability (CVE-2025-59476)
Jenkins versions up to 2.527 (LTS 2.516.2 and earlier) contain a vulnerability in the console log formatter that does not properly sanitize user-controlled content before writing to system logs. Attackers can exploit this flaw by inserting carriage return or line feed characters, or even Unicode Trojan Source codepoints, into log entries. This manipulation can forge misleading log lines, complicating incident response efforts. The issue has been addressed in Jenkins weekly release 2.528 and LTS version 2.516.3 by prefixing injected lines with indicators like [CR], [LF], or [CRLF] >. Administrators are also advised to use log viewers that highlight unusual characters and to restrict log access to trusted personnel.
Summary of Vulnerabilities:
– CVE-2025-5115: HTTP/2 denial of service in bundled Jetty (CVSS 3.1 Score: 7.5, Severity: High)
– CVE-2025-59474: Missing permission check allows obtaining agent names (CVSS 3.1 Score: 5.3, Severity: Medium)
– CVE-2025-59475: Missing permission check in authenticated users’ profile menu (CVSS 3.1 Score: 4.6, Severity: Medium)
– CVE-2025-59476: Log message injection vulnerability (CVSS 3.1 Score: 4.4, Severity: Medium)
Mitigation Recommendations:
All Jenkins users are urged to upgrade immediately to the latest versions: weekly releases to 2.528 and LTS to 2.516.3. These updates collectively address the aforementioned vulnerabilities, enhancing the security and stability of Jenkins environments. The issues were reported by security researchers Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav. For administrators unable to upgrade promptly, it is recommended to disable HTTP/2 and restrict access to log files to prevent potential exploitation.
