CVE-2025-67635 Overview
A denial of service vulnerability exists in Jenkins 2.540 and earlier, as well as LTS 2.528.2 and earlier, where the application fails to properly close HTTP-based CLI connections when the connection stream becomes corrupted. This improper resource cleanup (CWE-404) allows unauthenticated attackers to exhaust server resources and cause service disruption without requiring any authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can exploit this vulnerability to cause a denial of service by exhausting Jenkins server resources through corrupted HTTP-based CLI connections that are never properly closed.
Affected Products
- Jenkins 2.540 and earlier (Weekly releases)
- Jenkins LTS 2.528.2 and earlier (Long-Term Support releases)
- All Jenkins installations with HTTP-based CLI enabled
Discovery Timeline
- 2025-12-10 - CVE-2025-67635 published to NVD
- 2025-12-10 - Jenkins releases security advisory (SECURITY-3630)
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2025-67635
Vulnerability Analysis
This vulnerability stems from improper resource release (CWE-404) in Jenkins' HTTP-based CLI connection handling mechanism. When a connection stream becomes corrupted during communication, the Jenkins server fails to properly terminate and release the associated resources. This design flaw creates a resource exhaustion condition that can be exploited remotely without authentication.
The attack can be executed over the network with low complexity, requiring no privileges or user interaction. While the vulnerability does not compromise data confidentiality or integrity, it poses a significant availability threat to Jenkins infrastructure.
Root Cause
The root cause is an improper resource shutdown vulnerability in Jenkins' HTTP-based CLI implementation. When connection streams become corrupted—whether through network issues, malformed requests, or intentional manipulation—the expected cleanup routines fail to execute properly. This results in zombie connections that consume server resources (such as file descriptors, memory, and thread pool slots) indefinitely.
The Improper Resource Shutdown or Release weakness (CWE-404) manifests because the error handling paths do not include proper connection termination logic. Normal connection lifecycle management expects clean disconnections, but corrupted streams bypass these cleanup mechanisms.
Attack Vector
An unauthenticated attacker can exploit this vulnerability by establishing HTTP-based CLI connections to the Jenkins server and intentionally corrupting the connection stream. This can be achieved through various methods:
The attack exploits the HTTP-based CLI endpoint, which is enabled by default in Jenkins installations. By sending malformed data or abruptly manipulating connection state mid-stream, an attacker can trigger the corruption condition. Since the server fails to release these connections, repeatedly triggering this condition will gradually exhaust available server resources.
Once sufficient resources are consumed, legitimate users will be unable to access Jenkins, and CI/CD pipelines relying on the Jenkins infrastructure will be disrupted. The attack requires no authentication, making it particularly dangerous for internet-exposed Jenkins instances.
Detection Methods for CVE-2025-67635
Indicators of Compromise
- Abnormal increase in the number of open HTTP connections to the Jenkins server
- Jenkins service becoming unresponsive or timing out on requests
- Elevated memory and file descriptor usage on the Jenkins host
- Multiple connection attempts from the same source IP targeting CLI endpoints
Detection Strategies
- Monitor Jenkins access logs for unusual patterns of CLI endpoint requests (/cli or similar paths)
- Implement connection rate limiting and alerting for HTTP-based CLI connections
- Track system-level metrics for file descriptor exhaustion and thread pool saturation
- Configure network monitoring to detect connection flood patterns targeting Jenkins
Monitoring Recommendations
- Enable detailed logging for Jenkins CLI operations and connection handling
- Set up alerts for when open connection counts exceed normal operational thresholds
- Monitor Jenkins health endpoints for availability degradation indicators
- Implement network-level traffic analysis for anomalous connection behavior
How to Mitigate CVE-2025-67635
Immediate Actions Required
- Upgrade Jenkins to a patched version as soon as available (versions newer than 2.540 or LTS 2.528.2)
- Consider disabling HTTP-based CLI if not required for operations
- Implement network-level access controls to restrict CLI endpoint access to trusted networks
- Deploy a web application firewall (WAF) or reverse proxy with connection rate limiting
Patch Information
Jenkins has released a security advisory addressing this vulnerability. Refer to the Jenkins Security Advisory SECURITY-3630 for official patch information and updated versions. Organizations should upgrade to the latest Jenkins release that includes the fix for this resource exhaustion issue.
Workarounds
- Disable the HTTP-based CLI by configuring Jenkins to use SSH-based CLI instead
- Restrict network access to Jenkins CLI endpoints using firewall rules or network segmentation
- Implement rate limiting at the load balancer or reverse proxy level to throttle excessive connections
- Monitor and automatically restart Jenkins if resource exhaustion is detected as a temporary measure
# Example: Disable HTTP-based CLI via Jenkins script console
# Navigate to Manage Jenkins > Script Console and run:
# Jenkins.instance.setSlaveAgentPort(-1)
# Example: Restrict CLI access via iptables (adjust IP ranges as needed)
iptables -A INPUT -p tcp --dport 8080 -m string --string "/cli" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
