Primary

Context

Jenkins Denial-of-Service Vulnerability in HTTP-Based CLI Connections

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Jenkins versions through 2.540 and LTS versions through 2.528.2. The issue arises because Jenkins does not properly terminate HTTP-based Command Line Interface (CLI) connections when the connection stream becomes corrupted. This flaw allows unauthenticated attackers to create HTTP-based CLI connection requests that disrupt normal request handling, causing threads to wait indefinitely.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where request-handling threads are left waiting indefinitely, causing a slowdown or potential halt in Jenkins operations.

Remediation

Users can update to Jenkins version 2.541 or LTS version 2.528.3, both of which address this vulnerability by ensuring that HTTP-based CLI connections are properly closed when the connection stream is corrupted.

Added: Dec 10, 2025, 5:22 PM

Updated: Dec 10, 2025, 6:25 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Denial-of-Service Vulnerability in HTTP-Based CLI Connections

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating