CVE-2025-67635: Jenkins has a Denial of service vulnerability in HTTP-based CLI

December 10, 2025

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.

References

github.com/advisories/GHSA-9p56-p6mw-w8qc
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/efa1816322026f2b9235a27eee814bcc7ba0a764
nvd.nist.gov/vuln/detail/CVE-2025-67635
www.jenkins.io/security/advisory/2025-12-10/

Code Behaviors & Features

Detect and mitigate CVE-2025-67635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →