High-Severity Jenkins Flaws Risk Unauthenticated DoS via HTTP CLI and XSS Via Coverage Reports
Ddos 
The maintainers of Jenkins, the world’s leading open-source automation server, have issued a critical security advisory addressing a raft of vulnerabilities that could leave CI/CD pipelines exposed to denial-of-service (DoS) attacks and cross-site scripting (XSS) exploits. The latest security sprint patches nine distinct flaws, including a high-severity bug in the core HTTP-based CLI that requires no authentication to exploit.
The most severe vulnerability in this bundle, tracked as CVE-2025-67635, strikes at the heart of Jenkins’ connectivity. Rated High Severity, this flaw affects the HTTP-based Command Line Interface (CLI) in versions 2.540 and earlier.
The issue stems from improper connection handling. According to the advisory, the system “does not properly close HTTP-based CLI connections when the connection stream becomes corrupted”. This oversight creates a dangerous opening for unauthenticated attackers. By flooding the server with malformed CLI connection requests, an attacker can leave “request-handling threads waiting indefinitely,” effectively exhausting the server’s resources and bringing the automation pipeline to a grinding halt.
Another high-severity flaw, CVE-2025-67641, was discovered in the popular Coverage Plugin. This vulnerability allows attackers with “Item/Configure” permissions to weaponize coverage reports.
The plugin failed to validate coverage result IDs when submitted via the REST API. This loophole allowed attackers to “use a javascript: scheme URL as identifier,” leading to a Stored Cross-Site Scripting (XSS) condition . When an administrator views the compromised coverage report, the malicious script executes, potentially leading to session hijacking.
This issue has been resolved in Coverage Plugin version 2.3056.v1dfe888b_0249, which now strictly validates result identifiers.
The update also brings significant hardening to how Jenkins handles sensitive data.
- Build Tokens Encrypted: Previously, build authorization tokens were stored in plain text in config.xml files (CVE-2025-67637). The update now encrypts these tokens and masks them in the UI to prevent casual observation by users with read access .
- Password Redaction: A medium-severity flaw (CVE-2025-67636) allowed users with “View/Read” permissions to see encrypted password values that should have been redacted. The fix enforces stricter “View/Configure” permission checks for these fields.
While most issues have been resolved, one remains open. The HashiCorp Vault Plugin (CVE-2025-67642) contains a medium-severity flaw where system-scoped credentials can be accessed by users who should only have access to global configurations.
“As of publication of this advisory, there is no fix,” the report warns. Administrators relying on this plugin should monitor their configurations closely until a patch is available.
To mitigate these risks, organizations should prioritize the following actions:
- Core Update: Upgrade Jenkins core to 2.541 or LTS 2.528.3 to fix the DoS and CSRF vulnerabilities.
- Plugin Updates: Update the Git Client Plugin to version 6.4.1 to prevent OS command injection (CVE-2025-67640) and the BlazeMeter Plugin to version 4.27 to stop credential enumeration.
- Data Migration: After updating, navigate to “Manage Old Data” to encrypt existing build tokens.
Donate