CVE-2025-67635
December 10, 2025
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
Affected Packages
https://github.com/jenkinsci/jenkins.git (GITHUB):
Affected version(s) >=jenkins-1.416 <jenkins-2.541Fix Suggestion:
Update to version jenkins-2.541https://github.com/jenkinsci/jenkins.git (GITHUB):
Affected version(s) >=jenkins-1.416 <jenkins-2.528.3Fix Suggestion:
Update to version jenkins-2.528.3org.jenkins-ci.main:cli (JAVA):
Affected version(s) >=1.396 <2.528.3Fix Suggestion:
Update to version 2.528.3org.jenkins-ci.main:jenkins-core (JAVA):
Affected version(s) >=1.396 <2.528.3Fix Suggestion:
Update to version 2.528.3org.jenkins-ci.main:cli (JAVA):
Affected version(s) >=2.529 <2.541Fix Suggestion:
Update to version 2.541org.jenkins-ci.main:jenkins-core (JAVA):
Affected version(s) >=2.529 <2.541Fix Suggestion:
Update to version 2.541Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Resource Shutdown or Release
EPSS
Base Score:
0.11
