Severity
High
Analysis Summary
Jenkins, a widely used automation server for continuous integration and deployment, has addressed a critical denial-of-service (DoS) vulnerability impacting millions of organizations. The flaw affects Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) and allows unauthenticated attackers to exploit the HTTP-based command-line interface (CLI) to exhaust server resources. This vulnerability is particularly severe because it can be exploited remotely without any credentials, putting publicly accessible Jenkins installations at immediate risk.
The root cause of the vulnerability lies in improper connection handling when HTTP CLI streams become corrupted. When this occurs, Jenkins fails to close the affected connections correctly, leaving threads waiting indefinitely. Attackers can exploit this by sending specially crafted connection requests, causing request-handling threads to accumulate and consume system resources. As a result, legitimate traffic cannot be processed, effectively freezing the server and triggering a denial-of-service condition.
Identified as CVE-2025-67635, the flaw has a high CVSS score due to its network-based attack vector, lack of required authentication, and potential for complete service disruption. Jenkins’s connection management logic did not adequately clean up resources when HTTP-based CLI streams were corrupted, creating a reliable method for attackers to repeatedly trigger DoS conditions. This makes internet-facing or untrusted network deployments particularly vulnerable.
To mitigate the risk, organizations must upgrade immediately to Jenkins 2.541 or LTS 2.528.3, which include patches that properly handle corrupted HTTP CLI streams and restore normal resource cleanup. Security teams should prioritize patching all deployments, especially those exposed to external networks, and monitor systems for unusual connection patterns or abnormal thread counts that may indicate active exploitation attempts. Implementing these updates ensures protection against thread exhaustion attacks and maintains uninterrupted CI/CD operations.
Impact
- Denial of Service
Affected Vendors
Remediation
- Upgrade Jenkins immediately to version 2.541 or LTS 2.528.3 to apply the patch that fixes HTTP CLI connection handling.
- Restrict access to Jenkins servers from untrusted networks by implementing firewalls, VPNs, or IP whitelisting.
- Monitor server metrics, including thread counts and connection patterns, to detect anomalies indicative of DoS attempts.
- Disable or limit HTTP-based CLI access if not required, reducing exposure to potential exploitation.
- Regularly review and update Jenkins plugins and core to ensure all components are patched against known vulnerabilities.
- Implement alerting for unusually high resource usage or server unresponsiveness to respond quickly to potential attacks.