Jenkins has released critical updates addressing four security flaws that unauthenticated and low-privileged attackers could exploit to disrupt service or glean sensitive configuration details.
Administrators running Jenkins weekly releases up to 2.527 or the Long-Term Support (LTS) stream up to 2.516.2 must upgrade to mitigate these risks.
HTTP/2 Denial of Service (CVE-2025-5115)
A high-severity issue (CVSS 3.1 A:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) exists in the Winstone-Jetty HTTP/2 implementation bundled with Jenkins core. When Jenkins is launched via an equivalent systemd service configuration, the outdated Jetty version is vulnerable to a denial of service attack known as “MadeYouReset.”
Unauthenticated attackers can trigger unchecked HTTP/2 frames to exhaust server resources, causing Jenkins to crash.
This flaw affects Jenkins 2.523 and earlier, and LTS 2.516.2 and earlier when HTTP/2 is enabled. HTTP/2 remains disabled by default in native installers and official Docker images, reads the advisory.
The fixes in Jenkins 2.524 and LTS 2.516.3 update Jetty to version 12.0.25, removing the vulnerability. Administrators unable to upgrade immediately are strongly advised to disable HTTP/2 support.
Permission-Check Omissions (CVE-2025-59474, CVE-2025-59475)
Two medium-severity flaws allow unauthorized enumeration of internal components. In the sidepanel executors widget, Jenkins 2.527 and earlier (LTS 2.516.2 and earlier) fail to enforce Overall/Read permission, letting unauthenticated users list agent names (CVE-2025-59474).
Similarly, a bug in the authenticated user profile dropdown (CVE-2025-59475) permits attackers with minimal privileges to discover which plugins, such as the Credentials Plugin, are installed by inspecting menu entries.
Both issues are resolved in Jenkins weekly 2.528 and LTS 2.516.3, which remove the vulnerable sidepanel and enforce permission checks in profile menus.
Log Message Injection (CVE-2025-59476)
Jenkins’ console log formatter in versions up to 2.527 (LTS 2.516.2 and earlier) does not sanitize user-controlled content before writing to system logs (jenkins.log and equivalents).
Attackers can insert carriage return or line feed characters or even Unicode “Trojan Source” codepoints—into log entries, forging misleading log lines that hamper incident response.
The update in weekly 2.528 and LTS 2.516.3 prefixes injected lines with indicators like [CR], [LF], or [CRLF] >, but administrators are still advised to use log viewers that highlight unusual characters and restrict log access to trusted personnel.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-5115 | HTTP/2 denial of service in bundled Jetty | 7.5 | High |
| CVE-2025-59474 | Missing permission check allows obtaining agent names | 5.3 | Medium |
| CVE-2025-59475 | Missing permission check in authenticated users’ profile menu | 4.6 | Medium |
| CVE-2025-59476 | Log message injection vulnerability | 4.4 | Medium |
Mitigations
All Jenkins users should upgrade immediately: weekly releases to 2.528 and LTS to 2.516.3.
These versions collectively address the high-severity HTTP/2 DoS (CVE-2025-5115) and the medium-severity permission-check and log injection flaws (CVE-2025-59474; CVE-2025-59475; CVE-2025-59476).
The security researchers Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav reported these issues.
Administrators unable to upgrade should, at a minimum, disable HTTP/2 and restrict access to log files to prevent exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
