Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.

Severity	High
CVSS Score	7.7
CVEs	CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.

The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.

Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
HTTP/2 Denial of Service in bundled Jetty	CVE-2025-5115	Jenkins (bundled Jetty)	High	Weekly 2.524+, LTS 2.516.3+
Missing permission check – agent names	CVE-2025-59474	Jenkins core	Medium	Weekly 2.528+, LTS 2.516.3+
Missing permission check – user profile menu	CVE-2025-59475	Jenkins core	Medium	Weekly 2.528+, LTS 2.516.3+
Log Message Injection Vulnerability	CVE-2025-59476	Jenkins core	Medium	Weekly 2.528+, LTS 2.516.3+

Technical Summary 

Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.

There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-5115	Jenkins instances with embedded Jetty server with HTTP/2 enabled	It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service.	Denial of service
CVE-2025-59474	Jenkins automation server	Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget	Information Disclosure
CVE-2025-59475	Jenkins automation server	Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu.	Information Disclosure
CVE-2025-59476	Jenkins automation server	An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries.	Misleading administrators

Remediation: 

• Users should immediately install the latest, patched version of Jenkins on all servers: 

• Weekly Release: Update to Jenkins v2.528 or later. 

• Long-Term Support (LTS): Update to Jenkins v2.516.3 or later 

Here are some recommendations below. 

• If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability. 

• Always keep Jenkins core and plugins up to date with the latest security patches. 

• Regularly audit and monitor access logs and system activity 
   

Conclusion: 
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.

Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines. 

References: 

• https://www.jenkins.io/security/advisory/2025-09-17/ 

• https://securityonline.info/jenkins-patches-high-severity-vulnerabilities-including-a-dos-flaw/