Jenkins, a widely used open-source automation server, has released critical security updates to address multiple high-severity vulnerabilities that could expose CI/CD pipelines to significant risks. The most severe flaw, tracked as CVE-2025-67635, affects Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) and allows unauthenticated attackers to trigger denial-of-service (DoS) attacks via the HTTP-based command-line interface. This vulnerability arises from improper connection handling, where corrupted HTTP CLI streams are not properly closed, enabling attackers to exhaust server resources and render Jenkins instances unresponsive. Organizations relying on Jenkins are urged to upgrade to version 2.541 or LTS 2.528.3 to mitigate this risk.
In addition to the DoS vulnerability, another high-severity issue, CVE-2025-67641, was identified in the Jenkins Coverage Plugin. This flaw allows attackers with "Item/Configure" permissions to exploit coverage reports for stored cross-site scripting (XSS) attacks by submitting malicious JavaScript via the REST API. If an administrator views a compromised report, the script executes, potentially leading to session hijacking. Both vulnerabilities have been addressed in the latest Jenkins security updates, and immediate patching is recommended to protect against exploitation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
By 2025-12-10, Jenkins' advisory also identified CVE-2025-67642, a medium-severity vulnerability in the HashiCorp Vault Plugin, as not yet patched. Administrators were advised to review the advisory and take mitigating action where possible.
On 2025-12-10, Jenkins released fixes for CVE-2025-67635, a high-severity denial-of-service vulnerability affecting Jenkins 2.540 and earlier and LTS 2.528.2 and earlier. Patched versions 2.541 and LTS 2.528.3 prevent malformed HTTP CLI requests from exhausting server resources.
On 2025-12-10, Jenkins publicly disclosed CVE-2025-67641, a high-severity stored XSS flaw in Coverage Plugin versions 2.3054.ve1ff7b_a_a_123b_ and earlier. The issue allows an attacker with Item/Configure permission to inject a malicious javascript: URL as a coverage results ID via the REST API.
On 2025-12-10, Jenkins released a security advisory covering multiple vulnerabilities in Jenkins core and several plugins, including BlazeMeter, Coverage, Git client, HashiCorp Vault, and Redpen - Pipeline Reporter for Jira. The advisory urged administrators to review affected versions and apply recommended updates.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecybersecuritynews.com
Open sourcecvefeed.io
Open sourcecyber.gc.ca
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.