CVE-2025-67635 PUBLISHED

Assigner: jenkins
Reserved: 09.12.2025 Published: 10.12.2025 Updated: 16.12.2025

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.

Product Status

Vendor	Jenkins Project
Product	Jenkins
Versions	Default: affected unaffected from 2.541 to * (excl.) unaffected from 2.528.3 to 2.528.* (excl.)

Credits

Camilo Vera Vidales (https://www.linkedin.com/in/camilo-vera-vidales/) finder

References

Jenkins Security Advisory 2025-12-10