High-Severity Jenkins Vulnerability Allows Unauthenticated DoS via HTTP CLI

Patches released by Jenkins address a significant denial-of-service (DoS) vulnerability affecting millions of organizations.

That rely on the popular automation server for continuous integration and deployment pipelines. A high-severity vulnerability in Jenkins versions 2.540 and earlier (LTS 2.528.2 and earlier).

Enables unauthenticated attackers to trigger denial of service attacks through the HTTP-based command-line interface.

Vulnerability Overview

The vulnerability stems from improper connection handling when HTTP CLI streams become corrupted.

Allowing malicious actors to exhaust server resources without requiring authentication credentials. The flaw exists in Jenkins’s connection management logic.

When an HTTP-based CLI connection stream becomes corrupted, the application fails to properly close the connection.

This allows attackers to send specially crafted connection requests that cause request-handling threads to wait indefinitely. Effectively freezing resources and preventing legitimate traffic from being processed.

Because the vulnerability requires no authentication and can be exploited remotely over the network.

It poses an immediate risk to Jenkins installations exposed to untrusted networks or the public internet.

Attackers can repeatedly trigger this condition, accumulating threads until the server becomes unresponsive.

Organizations must upgrade immediately to Jenkins 2.541 or LTS 2.528.3. Which include patches that properly close HTTP-based CLI connections when stream corruption occurs.

The fixed versions restore normal resource cleanup and prevent thread exhaustion attacks.

Security teams should prioritize patching all Jenkins deployments, particularly internet-facing instances.

Monitor systems for unusual connection patterns or thread count anomalies that might indicate active exploitation attempts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.