Ddos 
Jenkins, one of the most widely used open-source automation servers, has released a new security advisory addressing multiple vulnerabilities that could expose users to denial-of-service attacks, unauthorized data access, and log manipulation. The flaws affect both Jenkins weekly and Long-Term Support (LTS) releases.
HTTP/2 Denial of Service – CVE-2025-5115
The most severe issue is a High-severity denial-of-service vulnerability in the bundled Jetty server. According to Jenkins, “Jenkins 2.523 and earlier, LTS 2.516.2 and earlier bundles versions of Jetty affected by the security vulnerability CVE-2025-5115 (‘MadeYouReset’). This vulnerability allows unauthenticated attackers to cause a denial of service.”
The issue only affects instances that explicitly enable HTTP/2, typically via the –http2Port argument. By default, HTTP/2 is disabled in native installers and Docker images provided by Jenkins. The advisory recommends upgrading to Jenkins 2.524 or LTS 2.516.3, which bundle Jetty 12.0.25, unaffected by this flaw. Administrators unable to upgrade should “disable HTTP/2.”
Missing Permission Checks – CVE-2025-59474 and CVE-2025-59475
Two Medium-severity vulnerabilities involve missing permission checks that could allow unauthorized information disclosure.
CVE-2025-59474: Jenkins explains that “Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names.”
CVE-2025-59475: Another flaw affects the authenticated user profile dropdown menu. The advisory states, “This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).”
Both issues are resolved in Jenkins 2.528 and LTS 2.516.3, which enforce stricter permission checks.
Log Message Injection – CVE-2025-59476
A third Medium-severity vulnerability affects Jenkins’ log handling. The advisory warns, “In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators.”
While Jenkins 2.528 and LTS 2.516.3 add indicators ([CR], [LF], [CRLF]) for injected line breaks, the advisory cautions that attackers can still inject special characters (e.g., backspace or Unicode Trojan Source) that may deceive log viewers. Administrators are advised to use log/text viewers that highlight unusual characters to mitigate this risk.
Urgent Call for Patching
Jenkins weekly should be updated to version 2.528, Jenkins LTS should be updated to version 2.516.3. Given Jenkins’ central role in CI/CD pipelines worldwide, the exploitation of these flaws could disrupt build systems, expose sensitive configurations, and compromise trust in development environments. Organizations running vulnerable versions are strongly urged to upgrade immediately or apply mitigations where upgrades are not feasible.
Related Posts:
- Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended
- Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
- Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
- RansomEXX Group Exploits Jenkins Vulnerability (CVE-2024-23897) in Major Indian Banking Attack
- Jenkins Users Beware: Multiple Security Vulnerabilities Discovered
Donate