Jenkins has released a critical security advisory addressing a high-severity denial-of-service vulnerability affecting millions of organizations that rely on the popular automation server.
The flaw, tracked as CVE-2025-67635, allows unauthenticated attackers to disrupt Jenkins instances by exploiting improper handling of corrupted HTTP-based CLI connections.
Vulnerability Overview
The vulnerability resides in Jenkins’ HTTP-based command-line interface, where the application fails to close connections when the connection stream becomes corrupted properly.
This design flaw enables attackers without authentication credentials to launch denial-of-service attacks by sending malformed HTTP CLI requests.
When exploited, these requests cause request-handling threads to wait indefinitely, consuming system resources and rendering the Jenkins instance unavailable to legitimate users.
The attack requires no special privileges or user interaction, making it exceptionally dangerous in internet-facing deployments.
The vulnerability affects a broad range of Jenkins installations, impacting both enterprise environments and smaller DevOps teams that depend on Jenkins for continuous integration and deployment operations.
The vulnerability affects Jenkins versions 2.540 and earlier, as well as Jenkins LTS (Long-Term Support) version 2.528.2 and earlier.
| CVE ID | CVSS Score | Severity | Affected Versions |
|---|---|---|---|
| CVE-2025-67635 | 7.5 | High | Jenkins ≤2.540, LTS ≤2.528.2 |
Organizations running these versions face immediate risk and should prioritize remediation efforts.
Jenkins has released patched versions addressing this issue. Users should upgrade to Jenkins 2.541 or later, and LTS users must update to version 2.528.3 or later.
These versions include proper connection closure mechanisms that prevent the resource exhaustion condition triggered by corrupted streams.
Security teams should immediately assess their Jenkins deployments to identify affected instances.
Prioritize patching internet-facing Jenkins servers, as they pose the highest risk of external exploitation.
For environments where immediate patching is not feasible, consider implementing network-level restrictions to limit access to the CLI interface.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.