High-Severity Jenkins Vulnerability Allows Unauthenticated DoS via HTTP CLI

Posted on By CWS

Patches launched by Jenkins deal with a major denial-of-service (DoS) vulnerability affecting tens of millions of organizations.

That depend on the favored automation server for steady integration and deployment pipelines. A high-severity vulnerability in Jenkins variations 2.540 and earlier (LTS 2.528.2 and earlier).

Allows unauthenticated attackers to set off denial of service assaults by means of the HTTP-based command-line interface.

Vulnerability Overview

The vulnerability stems from improper connection dealing with when HTTP CLI streams turn out to be corrupted.

Permitting malicious actors to exhaust server assets with out requiring authentication credentials. The flaw exists in Jenkins’s connection administration logic.

When an HTTP-based CLI connection stream turns into corrupted, the appliance fails to correctly shut the connection.

AttributeValueCVE IDCVE-2025-67635Vendor / ProjectJenkinsVulnerability TypeDenial of Service (DoS) by way of HTTP-based CLICVSS Base ScoreHighCVSS VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAttack VectorNetwork (HTTP-based CLI)DescriptionImproper closing of corrupted HTTP-based CLI connections permits unauthenticated DoS by exhausting threads.

This permits attackers to ship specifically crafted connection requests that trigger request-handling threads to attend indefinitely. Successfully freezing assets and stopping reliable visitors from being processed.

As a result of the vulnerability requires no authentication and could be exploited remotely over the community.

It poses a direct threat to Jenkins installations uncovered to untrusted networks or the general public web.

Attackers can repeatedly set off this situation, accumulating threads till the server turns into unresponsive.

Organizations should improve instantly to Jenkins 2.541 or LTS 2.528.3. Which embody patches that correctly shut HTTP-based CLI connections when stream corruption happens.

The fastened variations restore regular useful resource cleanup and forestall thread exhaustion assaults.

Safety groups ought to prioritize patching all Jenkins deployments, significantly internet-facing cases.

Monitor methods for uncommon connection patterns or thread rely anomalies which may point out lively exploitation makes an attempt.

Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.

Cyber Security News Tags:, , , , , ,

Related Posts

APT36 Hackers Attacking Indian Government Entities to Steal Login Credentials Cyber Security News
Threat Actors Exploiting Ivanti Connect Secure Vulnerabilities to Deploy Cobalt Strike Beacon Cyber Security News
Tomiris Hacker Group Added New Tools and Techniques to Attack Organizations Globally Cyber Security News
Ubiquiti UniFi Door Access App Vulnerability Exposes API Management Without Authentication Cyber Security News
Critical Apple 0-Day Vulnerability Actively Exploited in the Wild Cyber Security News
Hackers Exploiting RMM Tools LogMeIn and PDQ Connect to Deploy Malware as a Normal Program Cyber Security News