CVE-2025-67635
📋 TL;DR
Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) have a vulnerability where HTTP-based CLI connections aren't properly closed when corrupted, allowing unauthenticated attackers to cause denial of service. This affects all Jenkins instances using the affected versions, potentially disrupting CI/CD pipelines.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Complete Jenkins service outage, disrupting all CI/CD pipelines and automated builds until manual intervention restarts the service.
Likely Case
Partial service degradation where Jenkins becomes unresponsive or slow, affecting build jobs and developer productivity.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and response.
🎯 Exploit Status
The advisory describes the vulnerability clearly, making exploitation straightforward for attackers familiar with Jenkins HTTP CLI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.541, Jenkins LTS 2.528.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630
Restart Required: Yes
Instructions:
1. Backup Jenkins configuration and data. 2. Download Jenkins 2.541 or Jenkins LTS 2.528.3 from official sources. 3. Stop Jenkins service. 4. Install the updated version. 5. Restart Jenkins service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable HTTP-based CLI
allDisable the vulnerable HTTP-based CLI interface to prevent exploitation
java -jar jenkins-cli.jar -s http://jenkins.example.com/ disable-cli
Network Access Control
linuxRestrict access to Jenkins CLI port (default 8080) to trusted IPs only
iptables -A INPUT -p tcp --dport 8080 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit Jenkins CLI access to trusted networks only
- Deploy rate limiting or web application firewall rules to detect and block suspicious HTTP CLI connection patterns
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLI: java -jar jenkins-cli.jar -s http://jenkins.example.com/ versionCheck Version:
java -jar jenkins-cli.jar -s http://jenkins.example.com/ versionVerify Fix Applied:
Verify version is 2.541 or higher (or LTS 2.528.3 or higher) and test HTTP CLI connections remain stable under load📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP 500 errors from CLI endpoints
- Unusual number of open HTTP connections to Jenkins CLI
- Jenkins service restart events without clear cause
Network Indicators:
- High volume of HTTP requests to /cli endpoint
- Abnormal connection patterns to Jenkins port 8080
SIEM Query:
source="jenkins.log" AND ("HTTP 500" OR "CLI connection" OR "connection corrupted")