Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues
Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.
| Severity | High |
| CVSS Score | 7.7 |
| CVEs | CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.
The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.
Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| HTTP/2 Denial of Service in bundled Jetty | CVE-2025-5115 | Jenkins (bundled Jetty) | High | Weekly 2.524+, LTS 2.516.3+ |
| Missing permission check – agent names | CVE-2025-59474 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Missing permission check – user profile menu | CVE-2025-59475 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Log Message Injection Vulnerability | CVE-2025-59476 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
Technical Summary
Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.
There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5115 | Jenkins instances with embedded Jetty server with HTTP/2 enabled | It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service. | Denial of service |
| CVE-2025-59474 | Jenkins automation server | Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget | Information Disclosure |
| CVE-2025-59475 | Jenkins automation server | Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. | Information Disclosure |
| CVE-2025-59476 | Jenkins automation server | An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. | Misleading administrators |
Remediation:
- Users should immediately install the latest, patched version of Jenkins on all servers:
- Weekly Release: Update to Jenkins v2.528 or later.
- Long-Term Support (LTS): Update to Jenkins v2.516.3 or later
Here are some recommendations below.
- If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability.
- Always keep Jenkins core and plugins up to date with the latest security patches.
- Regularly audit and monitor access logs and system activity
Conclusion:
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.
Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines.
References:
Recent Comments